23542300x8000000000000000889466Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:41.832{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7359EA1427D14ACCE5E0DD571BF4EDBD,SHA256=F8BE4F5611E829CEA96F14DB2508CFBED564A65A4574F315E7055B70B64B0786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026261Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.729{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026260Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.729{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026259Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.729{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026258Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.729{2E2BE06D-6DD6-60FA-0B00-00000000E601}6364432C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001026257Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026256Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026255Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026254Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026253Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026252Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026251Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026250Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026249Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026248Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026247Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026246Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026245Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026244Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026243Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001026242Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:41.120{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148181A56BF130DB7890C44732A25773,SHA256=FF14A7630D84304E1173559F69F4AA05713A5E733F42F3D9DEFE01A9BDDF6919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889467Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:42.847{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039CD7A81937031B68B97993CAD8F734,SHA256=2A8879F8E049D081A3482001669A817FAAD60A92BD5182584FF138F0C3721315,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026270Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.864{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59139-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001026269Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.864{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59139-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001026268Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.765{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local59138-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001026267Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.765{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59138-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001026266Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.756{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59137-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001026265Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.756{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59137-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001026264Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.714{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770813C802D62FBE512EC1B84D392BF1,SHA256=950511187A93D25D81A19F4CA0819DD9C7BDF03AB2C02AE2315C3794AF7BBC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026263Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.714{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=695BD4A72F7D4F0A9143AC016744AEF9,SHA256=B5AF8C4D15412E31F355F3D9DF14305505C1BDA4F007AF0667EFD9033B30E4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026262Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:42.135{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B75F52A97907A260F4C4D7D0FC720,SHA256=8ACD0DA9A61266959BA6BC64BC58CEDE24CC3AAFDEA881DD3796F30BDE29CA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889468Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:43.863{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A96B5E70E19AA5DFE770A4C6BFB875,SHA256=41B5945E687DFA0CCB5FF2F654C8139388FE349A0B342B964F3279C8048A6255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026271Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:43.151{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3639E446186CFD2DAD61C1750D0FE4C,SHA256=A615078923484AF1870A2D9295ED9F259157CF9CE284C5D2880146BDA74DC623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889469Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:44.878{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328D7C6E6294868BEDCA4BC288BA6B49,SHA256=87B00E400600CF0ACE621D85645D40D0971D0E7512138F4F16DD98C69FAD8835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026299Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6C-60FE-0679-00000000E601}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026298Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026297Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026296Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026295Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026294Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026293Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026292Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026291Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026290Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026289Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6F6C-60FE-0679-00000000E601}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026288Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.885{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6C-60FE-0679-00000000E601}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026287Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.871{2E2BE06D-6F6C-60FE-0679-00000000E601}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001026286Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.385{2E2BE06D-6F6C-60FE-0579-00000000E601}49805876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026285Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6C-60FE-0579-00000000E601}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026284Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026283Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026282Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6F6C-60FE-0579-00000000E601}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026281Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026280Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026279Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026278Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026277Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026276Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026275Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026274Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.198{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6C-60FE-0579-00000000E601}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026273Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.183{2E2BE06D-6F6C-60FE-0579-00000000E601}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026272Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.151{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4906E87E93960A8CFA5B84DF91EF0ABB,SHA256=143BA7EA44BA766D9C9F9B67B7CB944745BB8D47765E163B962AC6DEDA1FFBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889471Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:45.878{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFFCEF60EB7881E31F52E5051CD7349,SHA256=60DF8C87491D00EB7E295F6C5CD1F532959568F98B1B197DB6B9BB7B2576E37D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026316Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.745{2E2BE06D-6F6D-60FE-0779-00000000E601}9522540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026315Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6D-60FE-0779-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026314Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026313Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026312Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026311Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026310Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026309Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026308Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026307Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026306Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026305Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6F6D-60FE-0779-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026304Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.573{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6D-60FE-0779-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026303Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.558{2E2BE06D-6F6D-60FE-0779-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001026302Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:44.598{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com46789-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026301Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.214{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3098E462040382CFD73AA68FBA914465,SHA256=C8E7DB9153220D73D3796468A9B412041673D97D57325B75F1BAD5D99C7688EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889470Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:45.269{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE2FDEB298F5E70B7BCC413921E642F6,SHA256=F3B15B747250676C0DFDE8CB6418BB1DD9FDE9E29A7E261B47DC9446D3DAC208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026300Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.089{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770813C802D62FBE512EC1B84D392BF1,SHA256=950511187A93D25D81A19F4CA0819DD9C7BDF03AB2C02AE2315C3794AF7BBC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889473Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:46.894{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6266DA8AD1C619F30FDABE2D83B19EA,SHA256=442908254AFEB52A1BB19DB8EC2F75AEAFE38F00D1D63DDB9FEB6D6185D38849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026346Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.901{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6E-60FE-0979-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026345Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026344Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026343Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6F6E-60FE-0979-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026342Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026341Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026340Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026339Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026338Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026337Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026336Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026335Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.885{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6E-60FE-0979-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026334Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.872{2E2BE06D-6F6E-60FE-0979-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026333Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.870{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A242C77C43377C66C114C5AB461B74A,SHA256=FF7E0B5DB1054DCFBFE542E2F1FCCC85A5ABF51C06BDD1FC8F8FF834558F9593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026332Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.870{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC147098CC7AF95E78DBCCE586BB50E3,SHA256=EB756775957FADB3659AB425931BC53AA88E703E12780CE7C170A9AA7E92EF4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026331Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:45.266{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001026330Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.479{2E2BE06D-6F6E-60FE-0879-00000000E601}64605180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000889472Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:35.110{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52455-false10.0.1.12-8000- 10341000x80000000000000001026329Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6E-60FE-0879-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026328Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026327Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026326Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026325Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026324Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026323Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026322Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026321Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026320Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026319Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-6F6E-60FE-0879-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026318Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.260{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6E-60FE-0879-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026317Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:46.245{2E2BE06D-6F6E-60FE-0879-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889474Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:47.910{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149439B933C2855E1804BACDEE1DB36F,SHA256=A5061FFFF0059D3C17AEE73A99BC5CB765D3864D7D4CD12AD1CE403F7E76D6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026362Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.870{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A209CD64BA517AAA7629D582D442A2,SHA256=B4C55F4490B0DB69F5C78125D0A8C04B4ED327806724BE1FDFD6AF6322F7A218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026361Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F6F-60FE-0A79-00000000E601}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026360Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026359Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026358Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026357Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026356Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026355Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026354Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026353Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026352Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026351Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6F6F-60FE-0A79-00000000E601}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026350Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.580{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F6F-60FE-0A79-00000000E601}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026349Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.558{2E2BE06D-6F6F-60FE-0A79-00000000E601}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026348Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.557{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20043CB3F775EA3A6DEF1F02B54CDA67,SHA256=44F6214C3D760ECE2C4901D1AEA46A3EDBD05E1554B4C0525567906E83D68C5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026347Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:47.104{2E2BE06D-6F6E-60FE-0979-00000000E601}24485164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000889475Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:48.925{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDE1392216699B454F614AA943218F2,SHA256=C8867F9D7ABB3B7B5BF757E2DB5C45275B380DCFE81FA4307C02C587181A74C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026364Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:48.089{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-10646-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026363Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:48.573{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED3437484893E9E653BB3AD85EC36AC,SHA256=47F595C7CCF928FEC78CE3C47263DE1002E11DA61F5FE91DEC359E7B921013E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889477Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:49.941{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F9B7C50D37224906174DEB3C48EB82,SHA256=A9F0B52E23A3CED8BE57145967B540BA4DBD4768F9ECAE8D82FB0BE5142CDB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026365Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:49.589{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1254075EB594BFCA4710C0179834DE6D,SHA256=7ED79250855B65A23C08AB86E97A6CF2B7F30E7725FD456303E1FB207FD4EC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889476Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:49.925{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889479Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:50.957{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D66B9E7DAFE584085AF1191DEAB56F,SHA256=4F271A43FD3FF3D5ECB375ED001C1412D3EDFC95F2BCABB10B5AE57542CAFDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026367Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:50.589{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861203E93493DA0281CFB7F1F12DF626,SHA256=ACDA6C16F836E33D5E88AA700806FD23F77650D57C941E2FED425B3764624141,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889478Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:41.126{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52456-false10.0.1.12-8000- 23542300x80000000000000001026366Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:50.557{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA7157D6F79E9C9999CAC29FE9E434C8,SHA256=D5C57F1B816D89DD7BA4FA8024CE6320B69F9150B3E6A7C74F5958092590BE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889481Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:51.972{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D34568E03D75FC0B80178B81F19B4D3,SHA256=1B3CACF22013A8BD40726D73B1B9F323D395D417D9596BF63491FF09484D17DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026381Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.870{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6F73-60FE-0B79-00000000E601}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026380Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.870{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026379Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.870{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026378Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026377Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026376Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026375Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026374Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026373Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026372Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026371Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6F73-60FE-0B79-00000000E601}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026370Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.854{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6F73-60FE-0B79-00000000E601}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026369Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.855{2E2BE06D-6F73-60FE-0B79-00000000E601}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026368Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.604{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023CF3300914816EF466C6DBB5733A7F,SHA256=7621DAE915EF8A66756D8CA46D351E42A2502CA54CF8A9116CFDED799ED10155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889480Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:41.954{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52457-false10.0.1.12-8089- 23542300x8000000000000000889482Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:52.988{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677CC4CFC19D98629BCEB806443C7944,SHA256=65FAEEBE84B134E7CED4DBCC3DA3B780876914A5FC3B3A555B0DBE6EB4621085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026386Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:52.854{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0F4E7DE5F761DAB7D12AD66E01DE99,SHA256=144E230D99506CAFE00B3F6F0118436000A671FDF1487167DEABDF77D33DA750,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026385Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:51.204{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001026384Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:50.657{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59141-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001026383Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:50.657{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59141-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001026382Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:52.620{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FB96E7D6D9540FE97F62799F8D1261,SHA256=114E97B7F1EF9CF0E20F66F3BD3C2C12D07786B06E6D07E6281B18CDC0229EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026387Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:53.620{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB00C119B7CC4043F0BE92E30BC94DE9,SHA256=AB338FF2549B6760EF27FA1E0D63839F6E01D5CD98891E14530F43227E918EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026388Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:54.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276E57BFBBC598DD43EA0A75B24BD2AB,SHA256=527BABAAE497BFB25B9EB66C49E2E337E1443D4556C85188051F22C1BD25B7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889483Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:54.003{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F671BDE5A1E96184B67D57B701AB355,SHA256=3147CE8E00F584D7E94CD48AEBFBC0D3E253EC73BDE7181744F2DD937A20888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026389Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:55.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A072ECA9690E3972B9CC4EACF7BF460B,SHA256=0887FDD2BF752E22ECC9D74639484CB8E65576F40237537DFA767A12BF0AA1C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889485Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:46.298{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52458-false10.0.1.12-8000- 23542300x8000000000000000889484Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:55.019{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9644DC318C75A3B1E35A921255D3E6A5,SHA256=B1F9B2795518E68B484CCA270835F15FCC38270F57D21248C340B513700863F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026390Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:56.651{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54814A30418C86575D3E15797176EF0,SHA256=ED367D9A9E9E338BD0F4AA6BD79975EEBABB380F1099D8CB4E7C34D3AC3CF056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889486Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:56.019{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4A61FB9A670A3D1BD864CE4E7DBE0F,SHA256=4A19A53FAE1B7909C1ABF23602FB6CFF6505BBA9A69F98C0F70F017B630DCDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026393Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:57.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6C255B88AFBDEAAC9CC678D6985A79,SHA256=FF432768253B755D3B704FCEC1AA40353B7F4B2DD03918114F2C656BF7D74C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889491Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:57.925{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A88B1E6CB27651E64790A337EAD778F,SHA256=C3B94545ACF1720356D04083B3B1A669D2DE56EEACEA9B2952B44F48B6299EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889490Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:57.925{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76EDFEDD652D4E86EE6EF4A4F268FDDB,SHA256=4FEB6E1F13985DC6EC0CECD0810F740A16809627E5D4CB22213232B1166A3235,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889489Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:48.213{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net64919-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000889488Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:48.138{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-46891-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889487Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:57.144{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F0AFA672AA579D1B1C876C79D10813,SHA256=2EF905C1B933555AC49AACAAF1120F20283A846FA9C023ADB4B5B6B90BBA3478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026392Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:56.282{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001026391Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:57.167{2E2BE06D-6DD8-60FA-0D00-00000000E601}9043884C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000889492Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:58.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7854B6E2AA1E97BA221FF37147B86685,SHA256=7068F34C79AEB39C4FE36C5B2EFD6CF9948F81D65E0FB444130787D0057B6A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026394Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:58.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1299D0906301A06AC0FF716CDBFB55,SHA256=B291836360280D23DAAAD6325E830CC4D53A65831B01EC2103A4C8A145629A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889495Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:49.936{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net65028-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889494Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:59.675{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A88B1E6CB27651E64790A337EAD778F,SHA256=C3B94545ACF1720356D04083B3B1A669D2DE56EEACEA9B2952B44F48B6299EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889493Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:59.410{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED839AA1A4AD2432E075844D75A7798A,SHA256=CB6E178BF9C9D247120A6ADD65D1ADF096761AEEEB9B7EDF19D1C1B54B3DD937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026405Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:16:59.682{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9865BE5DAC6F20BD43A1A2242D6A3AA,SHA256=0255F35BA95A79ACC6EFBD9B1BD65C1BCAF86A1292AA68C3284F84B9938D5B4F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001026404Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001026403Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa681c5) 13241300x80000000000000001026402Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0x39157a7f) 13241300x80000000000000001026401Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f6-0x9ad9e27f) 13241300x80000000000000001026400Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781fe-0xfc9e4a7f) 13241300x80000000000000001026399Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001026398Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa681c5) 13241300x80000000000000001026397Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0x39157a7f) 13241300x80000000000000001026396Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f6-0x9ad9e27f) 13241300x80000000000000001026395Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:16:59.573{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781fe-0xfc9e4a7f) 23542300x80000000000000001026406Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:00.682{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE8D3CFA33855E20DBFAEFA5F05F6E8,SHA256=42D2238D65218127B4AF2453E4658FF4B368F3C310092E9FD35AA1CC7AD4EA40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889497Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:50.866{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse49.238.204.234-51639-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889496Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:00.519{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9782FFE81E96C4F96FC6570C309DF6,SHA256=4B2337B9A12D3F24C1E3527C74CC0596D6FF443B937490B3CB5ABFDEF0E95AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889499Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:01.738{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18175D730087CAF10C65EAA2A43B1DBB,SHA256=29BAABD328D128847919AC7F1AF16BB41A6799FD028A7975C192B23454371BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026407Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:01.698{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24B10C206EED209CFA8E6FF7BCCB11,SHA256=BF0C3BC00C83B8E3C7C0175159CB196CF36766560C90F7C823B78F8239DC1D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889498Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:01.222{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42359030799DFA38C2D872B007577F1,SHA256=01ECDE77154D30EA8E9AD5E9297FA0A2D23E3C330C4876152CBA720E84927F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889501Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:02.972{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB3FEB862A65293F1EC6EEBC8824B48,SHA256=2902F901E1FA469971B8B01DE9B02AACDBB7AD9E116C0D1BF4A97E92B27ABEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026408Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:02.698{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8423B8ECE9DD14A684D3A6E0E595DA,SHA256=9CFEDC3C4144D59C7C137C05ED6F3B1181FBC2DF915DCF6BA32A75B58AD607D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889500Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:52.251{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52459-false10.0.1.12-8000- 23542300x80000000000000001026410Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:03.729{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E86E0B012C2819291E630E682132B2E,SHA256=5EED8CE23F518CDC3AAEF6EAF2906AA2D3E1A1C2556AA8D9476826C59DE1D988,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026409Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:02.251{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026411Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:04.732{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1378DE80C1E9FFF629F5FF35E5C17A,SHA256=5DBD1E11AC65D6000864C3005864FC1AC4DB2F2A39D5E38F1EACCD001D8CAF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889502Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:04.128{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532BCCF9A538D7416CD78261B3115589,SHA256=ACA837A9F0E940B9BA380BC1355A207E5B4BE472062ED5F468EF2A128CA1D831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026412Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:05.735{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FD91CDBF0772C41F903E939BE0371B,SHA256=E3FD70A2A90AB8A1AAAFA95B2D3F8D16C6E326B8286889B9F4B85F68E44245CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889503Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:05.128{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760F3DCEAD6A9EE0B5F59B8284429097,SHA256=8DA7EBF43259724A94BB47B08E53EC7FFAE0FC4E7E244E9D716D9022E5340822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026413Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:06.750{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAC35F9F7895BFF5067FEAE4138DBC4,SHA256=42DAD541B777E7478A10A295D9FB012805BD983A1CF8E75756A9BCA13E14690D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889504Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:06.144{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB02996606FFA785F68C6BD21D4AC39,SHA256=1137E3A1FD862F10FD2625F15B6F5ECAD1F15C247070CE8F6089268B65D93DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026414Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:07.750{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D0C45AB731CD5DFAF8EF6BFAD312FB,SHA256=27729438DDAF0D8CBFCA4374B51C8F4C53E990DD021AF156AF1D0B6E85A4EB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889505Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:07.160{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BCA4BF52D3549C47A7C54028164939,SHA256=BC8C6FF22B52E17A000B4B8E432E7132EE39FD5FB5815DE1BB274A50337CDFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026416Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:08.766{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63749A4D96DF876D2B8B8FCA9FF8ED0F,SHA256=3BCAD6B5F0DB189F07A7F262983ADDBEAB629171856D43513C9F6D71505005EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889507Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:16:58.266{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52460-false10.0.1.12-8000- 23542300x8000000000000000889506Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:08.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9F2264E37818AADF4BF3E4D7D77E10,SHA256=921CD393D05C16022A73FF87C291E0DC7ED43F84D6AB11725157420566A51CDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026415Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:07.334{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026417Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:09.766{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E01771BAB901105EDE539157BF40AB,SHA256=ACC2C9AD85AABC4C15F9A20C25ACA1B0BDC44E6984A2ACD95BB234C1A941626B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889508Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:09.191{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03258F8568C66132C7002267342B38F4,SHA256=A4B67829881F9FC2F880BE36D906E6151664B685BE16A73585539B49F1CE0A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026418Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:10.828{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76109B5B23D09FD05928A22095692E5,SHA256=B0CA5B99E072BEC713110285851F11EFCE78C0A6B4B533B5FCCE7B051DFE9821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889509Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:10.206{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189E4498700D3641B5AC5362760E8B59,SHA256=AD2F3F73D8D87A9142692F163D42F50C10A67E110D62770D2F54041D1301F957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026419Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:11.844{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE04A8E7DDB6CD2D6C42C18228F46EFB,SHA256=7406075B7483FBD24608991326E082CA005614DE55F663996D148621AF66AC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889510Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:11.206{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828F0012106638CAD88CEDEDA4610729,SHA256=3018010FD3CC0BD022451FA0CB4779B8E602D8BFF379EB9DC8294643B8D493DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026420Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:12.860{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FE29D3B803168A3FE748206921B939,SHA256=F24A69DCC3ACF2EA7F32A9F34CDC43EB8AFD3E38D31FF13CA80E49E0658F1D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889511Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:12.222{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019927A44BCEC099848C103E2B80B330,SHA256=122477FC286C40B481A3A632CCDA0B2B181374A92E2F71A3CA99F7B1BE9A9C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026421Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:13.875{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A41F9624CAFB5953701F07EF241CE2,SHA256=628716E238AE6964895190926B856337CBB7DB43A41C4B3432B2D1CAFF572592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889513Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:04.250{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52461-false10.0.1.12-8000- 23542300x8000000000000000889512Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:13.238{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A274BDB7338AB76D7D553FD0535BE1E,SHA256=4FE95EF0EA21B8DD4831074A8D17544170B77672BAA4C7710B08F09FD0248FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026422Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:14.875{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F12762CC7792C2CAB14E8CAEAD420C3,SHA256=DB1ECEB544C8BD3E5E30F056DE9991EEC18C504C6EB06068226DC4C884A2765A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889514Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:14.253{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AF2F46CADCEA6E3913639F9082EF5F,SHA256=A1EE6C81BDCE8CDD47998643EB169C2248FCDA65AE0872D823DED0F39A8F2337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026424Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:15.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD5A7FC1019AA9DFB888B7F1EF29773,SHA256=00177C749B905A37FEE9E0BF2C9C8CCB47C6347A34556E7CD2BE78265CF74843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889515Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:15.253{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16DD0BD78F4C0B969F69915978B330A,SHA256=AA41FDD79AF5DE22EB6142FAB2143D738CC196CE1D0AD57A3FFBCD793A6CFA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026423Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:13.303{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026425Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:16.922{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E924C7EA376AF47E885FD2ACEC43EBEE,SHA256=CAD5569F827D0B320B0DAF8EF37C62AC9FC24D3A42874FDADAABCACC9B325C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889516Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:16.269{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BC1C82A83B3C5912B1F3EF7A448980,SHA256=DD98C13F952ECF1A974F8F56788737F7B51AF5D3E9DC04B67AC8D6AA9CEC8B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026427Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:17.938{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC103AAC08A4C0BD7E1DBF61879DB712,SHA256=AB52CA848CDDAB32BE1A4AA160289286A4F308D1B51CCB6D3187AA29E35A9F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889517Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:17.284{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BED590DF0C38CF25E241FF485952D6,SHA256=E4A45016CF74287F184C3502C5D41F07736BD01EA73603DB0EB8401DDF9390F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026426Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:17.828{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F24BA80EC0D573E8C6DE9BB9D8DF377F,SHA256=BDF36701A141181888BB9E6471FD79A5F53520BB31F600DC054384E082CB9BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026428Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:18.938{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994C6E85E813AA42E20613DFB7DB1077,SHA256=AF680EDBC7368ECCBAB5022B7BB3E0D38911127FDDE91B77AD6F5C00CD280B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889518Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:18.285{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431C4E779D9459582F28870B40FBE429,SHA256=BA633247E41A68ECD67FC3BF343917D39867A2B369E5894942607690B81C7730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026429Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:19.953{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A41A235559D415321BD52FE8B98DCFC,SHA256=AEA4FE04A1CED604C34983B8C5F343F99DFBD3756859B78617B23C23DAF61B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889520Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:10.234{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52462-false10.0.1.12-8000- 23542300x8000000000000000889519Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:19.300{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE49475A29C9468E109E6F1EF147E808,SHA256=AFEF2F42F0E5A37EE60D335620B07808C3D38E93606C70CAEFD3B4321D990E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026431Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:20.953{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1E9DDE1BE1D28E793BD4EFAC2CF32E,SHA256=0B495BFA3032FFE0DE1464D8B869559C899AA421FDACC6C289FAEE345F87EE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889521Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:20.316{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843182C4D0E7C55F8B4DA6D14F93D845,SHA256=33675223CD3F63803177A4BD5972F40470873B8F8CCC1D852FABFEE86D4C45E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026430Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:19.319{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026432Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:21.985{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28CFA911631B6E2DA2BFF856ACF5CE8,SHA256=A10235FB5A82C7388E0D2BC6D3E65F10E1EEFE3C8EE58C2014C2723FE42A9A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889522Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:21.331{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B030309C55B1718CD796BCB223986872,SHA256=43D16B3544215693177EA0A6F727D348054CE77509FC411E95075D2735B3A27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026433Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:22.985{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED95393CAA7E8D4ECFBC06343BA7D4,SHA256=076006E2B1CE55E0E64F87041A892F5A2CC6F5546A371BB0289A8D71F81CB4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889523Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:22.347{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E6659E2080014DA5FD7711B91D9441,SHA256=8636E188E4C044A65009F8A100C54A25881309A0659E6869CA6A34F1A7E90EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889524Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:23.363{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFCA67305C0B01D6522C27CCA7CE048,SHA256=B70717FA0686A67412E4362E90083678D97219BFFF9FF7CE9C7A0C6D79EF37E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889525Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:24.363{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1166D160FC9F79C8746B4C7738F9F4,SHA256=DD9910E9E5433DE3A5C76E03BD124E039B6477F2BF2CFA340C5D87B1D45CE7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026435Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:24.875{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026434Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:24.016{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC860EE15756587A4B42AEC2CAC948B,SHA256=4AC4B13FFB44F128D3590EBB33AD386566883ACA968B7B9CAC66B7EE4BBE130A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889526Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:25.378{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4981F25919DA345EB6E302788955B1,SHA256=806B1655DAE4F954A63CAF68FC9BC54ED387F3DB01C7C00997C0549B5F255011,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026437Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:25.241{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026436Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:25.016{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B8AF0C42518569B8E976FC273382E2,SHA256=B9223A93DBE683116EB73BEBE64A72276E55FDD9295B0E06B158A050998893BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889528Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:26.394{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE089ECA1646CCD19E1C3F7591A95CF1,SHA256=F9E73C411B376D6F6B401F887AB398A1D228FB3A3D1AAA9ECC6FB412FE9C3F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026439Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:25.991{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001026438Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:26.031{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC29E9AFD7B91652BF28DABABE0A6CAE,SHA256=5FE9504D4B658C20B1E4A9B5D176998A9D183E7B5D0C49BF287AD4F4F9FDBEF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889527Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:16.187{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52463-false10.0.1.12-8000- 10341000x8000000000000000889542Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.909{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6F97-60FE-7D78-00000000E701}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889541Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889540Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889539Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889538Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889537Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889536Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889535Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889534Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889533Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889532Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-6F97-60FE-7D78-00000000E701}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889531Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.894{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6F97-60FE-7D78-00000000E701}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889530Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.895{D94AFF6C-6F97-60FE-7D78-00000000E701}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889529Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.409{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5466FF39A74EE305B7D67F07B1C4C176,SHA256=E9FC565B1512AA34E64F149137A570EFED697146268A4B655E071CDB39AEC0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026440Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:27.031{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00F088CE757F4070AD4D5A86890ED98,SHA256=34C8DA6A252589C0374B304F48D201072F038AF835167AF373F04E9D24857D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889558Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.894{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26722E52BA7E806CAB1285B5C7A3BDD8,SHA256=88A06D9C04FF9D3E4DB3E01005B636E0D5AE01511CB07DA610C23CAE2399DC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889557Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.894{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24D02E8D876C3D15778AE27B1A534DE1,SHA256=D730532AAE65DF283A019978D043B57A9831FD6FDF97880A820AF074CD5DCAD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889556Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6F98-60FE-7E78-00000000E701}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889555Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889554Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889553Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889552Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889551Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889550Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889549Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889548Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.534{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889547Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.519{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889546Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.519{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-6F98-60FE-7E78-00000000E701}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889545Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.519{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6F98-60FE-7E78-00000000E701}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889544Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.520{D94AFF6C-6F98-60FE-7E78-00000000E701}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889543Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:28.410{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB720E2367C011437F12E10B2AA216D,SHA256=D5715D11B0BFDB8FEB2AF6CF153A8126861ACFF78D4A13A2A58E4DA8C7DEAC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026441Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:28.047{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE9670507D26969AEE7227F43B37175,SHA256=6181F8DF31BFBFAF438320657041B0B7EE1DEFBE9F2B65BCF67E0D5F5143C8F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889586Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.831{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6F99-60FE-8078-00000000E701}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889585Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.831{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889584Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889583Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889582Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889581Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889580Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889579Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889578Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889577Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889576Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-6F99-60FE-8078-00000000E701}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889575Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6F99-60FE-8078-00000000E701}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889574Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.816{D94AFF6C-6F99-60FE-8078-00000000E701}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889573Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.503{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC3656367670FEFE166AE2457F7B92A,SHA256=21833265A1B733C3A3C32223A563983B3E629B3AE2BFD33F62EA223884F171F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026442Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:29.063{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC08D2ECC2E16B7648A24F55AB29390,SHA256=282C5C118F8F2ADA05A1A18E088AAC4A5005B3C370A034E363F7983C21C9C251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889572Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.269{D94AFF6C-6F99-60FE-7F78-00000000E701}12322596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889571Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.159{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6F99-60FE-7F78-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889570Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889569Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889568Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889567Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889566Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889565Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889564Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889563Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889562Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889561Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-6F99-60FE-7F78-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889560Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.144{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6F99-60FE-7F78-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889559Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.145{D94AFF6C-6F99-60FE-7F78-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889588Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:30.550{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E06F8B15FB643A9A1076B405D786CA,SHA256=F64769433711D627D3C734A3019DB07FA3619E4FF046AA8ECAC7E2742601ED90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026444Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:30.366{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026443Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:30.063{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFA9AAE1441A5D3EA6F3E85273C3182,SHA256=8863EE174213D3E9115068AABA160D87A9A3426F13F689913D5331C2EFC8455A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889587Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:30.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26722E52BA7E806CAB1285B5C7A3BDD8,SHA256=88A06D9C04FF9D3E4DB3E01005B636E0D5AE01511CB07DA610C23CAE2399DC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889589Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:31.784{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C214A1AB131E34D04937FD22C13BCF6,SHA256=BFC532BD1BE41369460A8481E87DFE78AA9A0ED189B936D974295660D546B8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026445Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:31.297{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43A4763EE00E0ACE5C462047766BFF7,SHA256=95E34E3D048BD6472ACF7428885C4A7B5C9952F3A167FB1899373E26082C8FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889591Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:32.800{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F48C14845F1BE1FDF34962F075A28A7,SHA256=6CF8671F149948FE680A4F2B3C0A001C386245880C742C493B5FFA81AA4F6468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026446Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:32.531{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6732CFCF07291C67473615BF99E4327,SHA256=24BFE1D4509A3E10E83131A058920D9C44FD4535E9B6AD3CADCD1FB2962C19E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889590Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:22.109{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52464-false10.0.1.12-8000- 23542300x8000000000000000889592Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:33.941{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B01D91AF1D76678D80F1EB5892F179,SHA256=075F0EA22B948D1222A5D3BFAB181DFC0EAA061390CB737F93B89D3ADA383F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026447Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:33.563{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8475433133BA27E53418127CF97C3821,SHA256=2C38DA86362E0BE64779BB26D148CA75B59040AE2DCE51F151A6EA51A50E8485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026448Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:34.610{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ED3FEBE43B6F09638E30B7C98FDD03,SHA256=933FAFA65853F852FBD153047173A13ECCE4519E3932B9384AFD10448B338686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026449Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:35.610{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562C5F500AC68F0722BC7FBC2557748A,SHA256=0906E1F5F7441E9879BE3FD052F7DF6CD3D49CDF38846F42C3595EF8E0ADDC91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889607Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.847{D94AFF6C-6F9F-60FE-8178-00000000E701}3441912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889606Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.738{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6F9F-60FE-8178-00000000E701}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889605Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889604Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889603Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889602Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889601Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889600Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889599Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889598Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889597Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889596Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-6F9F-60FE-8178-00000000E701}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889595Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.722{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6F9F-60FE-8178-00000000E701}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889594Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.723{D94AFF6C-6F9F-60FE-8178-00000000E701}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889593Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:35.019{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD777982B13EF31E50C2D67E4FCE852,SHA256=CA119864F2007E49E302DDBC9F79C1E85E34844D3312427DF18734CEF5E39FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026450Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:36.610{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AC0A28863E59657EF9CCCDEBCAAEA6,SHA256=26626FAF69738925BA9D17E7CFA20FCE9BB7892A91E561BFB550DF084BE4E248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889611Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:36.754{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4574AAC8251280B4C8EC63B185A867EB,SHA256=C8ECBE0BB74EFEBDF3E690F9FC2710B278898D4A375FB87A6EDEEBED354695AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889610Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:36.754{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDC96CEB723E33ECCEF5F07D5D463626,SHA256=63C2875F2E22FA8B1C28436ECBB7E82BAA939C09EA4C30ED75D5C5AAF475985C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889609Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:27.234{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52465-false10.0.1.12-8000- 23542300x8000000000000000889608Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:36.050{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630E000E2F8262F7A2E174C9C5F559D9,SHA256=593D488FEDDF10A9039D599CB157D716C7C62035E3A8A7D05679A575AF5ACDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026452Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:37.625{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D531017CE19B83AE56B6D849EEAA34B,SHA256=F71DAD8FA9C419D2FD851C37D1E546EEC010FD66DBC817CF718A3D32FE0DB4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889612Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:37.286{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D456F3EA17DDC66840393B53D1B56E,SHA256=1D9DD9BABEFDC784D41C739090532875BE21E58C297BAD6DD4C0CF4E63B896CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026451Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:36.256{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026453Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:38.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F91742135C498B210F10ED87484CAA3,SHA256=64C3E8362194A0AD90A69F7D4ACA0E07B0462FD2BAA4227C5E42C9689DD6DAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889615Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:29.186{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-52826-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889614Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:38.517{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127E58AF141FD55F1B83BDE282B9D09F,SHA256=9192B6E7CCA696289C8CF7B00A43A3BF0E650F744AAA28C92EA343C0C38FC84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889613Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:38.470{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4574AAC8251280B4C8EC63B185A867EB,SHA256=C8ECBE0BB74EFEBDF3E690F9FC2710B278898D4A375FB87A6EDEEBED354695AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026454Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:39.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3764DB74BF8AD3E194CC3ECA3B8A1E,SHA256=7BF8747F9FCBA24426D7801B0B43BDED02465482248052011084F4B2636708CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889630Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.765{D94AFF6C-6FA3-60FE-8278-00000000E701}26963672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889629Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.624{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FA3-60FE-8278-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889628Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889627Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889626Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889625Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889624Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889623Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889622Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889621Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889620Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889619Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FA3-60FE-8278-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889618Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.609{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FA3-60FE-8278-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889617Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.610{D94AFF6C-6FA3-60FE-8278-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889616Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:39.546{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E85D08D04776D64017D7488C4B57DC,SHA256=81B02D28084B4776377862253717E5F5E38DCDCA46393E1C6D0CB5B2C09572D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889646Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.749{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C7675B0E6D99A4F728047E7C3621F86,SHA256=1CC3AFCD93FC2C40A032E7DBB138F194FF7D4D72C5A51E1FF0E35E713E188F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889645Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.749{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9B081316EDB4DA04EF6338EDEFE3A0,SHA256=7C22F5EC1BCFCA63F042B53EE13991DF2DB08FC9A7D33E3828169582C49B4E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026455Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:40.656{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED723BB9D52EFF7C4AC98E1963E9E7AB,SHA256=64EC384E5DABFF0121D5058DAAAB73C1384C704F7A70FB0966BD98EBD5519E03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889644Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.406{D94AFF6C-6FA4-60FE-8378-00000000E701}40122872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889643Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.296{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FA4-60FE-8378-00000000E701}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889642Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889641Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889640Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889639Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889638Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889637Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889636Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889635Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889634Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889633Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FA4-60FE-8378-00000000E701}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889632Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FA4-60FE-8378-00000000E701}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889631Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:40.281{D94AFF6C-6FA4-60FE-8378-00000000E701}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026456Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:41.672{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AECC5E8A65681EADF270515C4EB6426,SHA256=F3522AEF30D17A399DE7A43C1AD270FA8BB882B9E961DB63FD6B94E3CE3A6781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889647Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:41.953{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E4CD2A18EB2107728DAD489667E869,SHA256=ECDF5365817E76C57FCE8FE15EEFC1BDA9FCF17E2EC51034D46F09C12DD15ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889649Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:42.968{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ADAF7263866E45929AE15B9D079A54,SHA256=103E2BE6F058FDD8CCE7874F0A1BD1298D8E80B4052103BA2CE485A91B63B5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026458Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:42.688{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCD0EBED98B123B6BDAE13DB1BACDAC,SHA256=C9BD745A995EACC890549FB396C476D4A73E3052D72782723F0D49670943D514,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026457Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:41.366{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000889648Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:33.168{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52466-false10.0.1.12-8000- 23542300x80000000000000001026462Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:43.688{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69817A0D5665BEED46911739ED1B6DB,SHA256=2ECCFD52FE91F3A908D30F2BD645CAB4C547DDEE0C2E8C7092A65C6DE66DB7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026461Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:42.964{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-39250-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026460Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:43.047{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330FE9180FDE7384C1D366427B7FC0D0,SHA256=C8A623E4B3281564295E7CB47915143E4AE47D5C0B7BBF464DD062FBEC1DCEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026459Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:43.047{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BC9FD3D6FE3CCBBF3B02144F329600,SHA256=3AAE6C4A52FF9D629B112F6C669371ECE8FB75F6C7B9E5049B717F4E86F224F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FA8-60FE-0D79-00000000E601}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FA8-60FE-0D79-00000000E601}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.875{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FA8-60FE-0D79-00000000E601}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.861{2E2BE06D-6FA8-60FE-0D79-00000000E601}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.719{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045119E4B932E492DBF5B3B3FE69F5C0,SHA256=1AFAFF8B13BBA058C6DC69020740CE18BF3AA03376DB85D9A5E011D948785AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889650Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:43.999{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5385794DF8E392079F65046E545A689F,SHA256=6EC21EDB434A7FD72C68DF0C4BABBAFDA7BE15AA1D01F069AA187311FE8FD0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.531{2E2BE06D-6FA8-60FE-0C79-00000000E601}6241208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026472Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026471Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FA8-60FE-0C79-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026470Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026469Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026468Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026467Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026466Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026465Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FA8-60FE-0C79-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026464Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.203{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FA8-60FE-0C79-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026463Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:44.188{2E2BE06D-6FA8-60FE-0C79-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.844{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056847C3362C059D38A25496900FBE43,SHA256=58E82CC000B9632C465A36ACCEA0AAD0F4CE7E78F6FBF357242D9DFD3E9FE8B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.813{2E2BE06D-6FA9-60FE-0E79-00000000E601}50286636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000889652Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:45.281{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C30F877D00DFD8ABBF868451F17E57A8,SHA256=CDA2922BE74E00E9EEE44FFEAA56E4DBDCE5AAF8ED14AABF8318871FBDCE4A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889651Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:45.015{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9E7F47AD408D9FE6D8982AD679D7D1,SHA256=E65BEFFF3B4D07198A0F1212D4480098790B960D549675D56C9649F73442EF58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FA9-60FE-0E79-00000000E601}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FA9-60FE-0E79-00000000E601}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.563{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FA9-60FE-0E79-00000000E601}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.548{2E2BE06D-6FA9-60FE-0E79-00000000E601}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:45.203{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330FE9180FDE7384C1D366427B7FC0D0,SHA256=C8A623E4B3281564295E7CB47915143E4AE47D5C0B7BBF464DD062FBEC1DCEBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026535Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FAA-60FE-1079-00000000E601}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026534Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026533Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026532Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026531Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026530Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026529Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026528Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026527Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026526Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.938{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026525Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.922{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FAA-60FE-1079-00000000E601}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026524Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.922{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FAA-60FE-1079-00000000E601}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026523Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.923{2E2BE06D-6FAA-60FE-1079-00000000E601}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026522Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.813{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B95FB4D5F1F11A47AC6B9C51FA159E3,SHA256=6BCF03770E4D3C17FDC98D11B65701832A96A92645BB147E44EE81C98FC80D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889656Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:36.305{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net64698-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889655Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:46.046{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693D5365D062DB898DBD52C4243A71D9,SHA256=14775171FED666E5C3E0BF0C55C3AB7F8C00540C98C1B8BF34E42DCD43F779C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.781{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052FA1AD08922F42B0AEF417F92492E5,SHA256=F254480F0BEB66EA09C07363CE986EC00BAAA6D5B9429710199279569ED132AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.453{2E2BE06D-6FAA-60FE-0F79-00000000E601}8362464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FAA-60FE-0F79-00000000E601}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.250{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6FAA-60FE-0F79-00000000E601}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.235{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FAA-60FE-0F79-00000000E601}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:46.235{2E2BE06D-6FAA-60FE-0F79-00000000E601}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889654Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:45.999{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46753E06C38C7CF8F05B112DCCEFCA44,SHA256=18D885E9792FB9A06C8905FBA0CD8FE7C3D6799B7BFB372FE1FB629F3BA3E2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889653Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:45.999{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49724EEA8AD85442155D3BC885370927,SHA256=DC10F93CA867D1C47CF805EF00E776987186ECFA20C7505DCEE098109A7011B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889657Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:47.046{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25231299C1A0F137AB2C893B48794F7B,SHA256=6F5231FA77EB1EBED26DA9B92B96EC917B2419FCCD4E1F96CA047D762C961582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026549Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.797{2E2BE06D-6FAB-60FE-1179-00000000E601}41245376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026548Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FAB-60FE-1179-00000000E601}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026547Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026546Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026545Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026544Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026543Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026542Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026541Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026540Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.625{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026539Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026538Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.610{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FAB-60FE-1179-00000000E601}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026537Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.610{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FAB-60FE-1179-00000000E601}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026536Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.610{2E2BE06D-6FAB-60FE-1179-00000000E601}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000889659Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:38.277{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52467-false10.0.1.12-8000- 23542300x8000000000000000889658Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:48.093{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3B30F438F97E68B5E783A0D7376D57,SHA256=B0D1E9E71830484130A3632FB5B6A4633B25D64578D0038184BD385FF00F2873,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026552Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:47.319{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026551Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:48.125{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1828F3C34FFBC127466D6A52D1F6B19,SHA256=79373710D8BE5DE745C634E17898348D363AABF01DF78CF3413D44A2EFA90284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026550Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:48.125{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9975672085337B74FD46AFA25CBCE25,SHA256=76812D957577B71EC9463F8CBABB5254CEA954A8D0D55215E1F0544848069E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889661Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:49.953{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889660Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:49.124{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F4CB453D6A0967C05E93410471E619,SHA256=297213440B8B889C502DBFF296AFDA1A8344FD4B7546E5298FC7D8D4149BF9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026553Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:49.250{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3802C78BC926A11BBDC3C26A0FFA88,SHA256=2FAE29B6B1073EC1BDD7786D29E99E3A24CB5FDABE6D278F32C5219015EBB3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026555Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:50.594{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46243353CEE588A9FEC8A006287D22A2,SHA256=22B4646C41F383F659D1792118F6AEA9921BDC81C911EDE783FAFA40D34BEA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026554Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:50.250{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A36CDE9D62A604F149E9EB23B588006,SHA256=16E609E4F611CBF509F5F0E3DD61D19021D5F738A9009543DCFE5559094BC8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889662Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:50.156{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E516D9A63563E38B1017C53AC010E564,SHA256=B2275068212D4CDE367052E3194C827E13A5F6AEE78DD167C7FF7DFA1D78AE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889663Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:51.249{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5182BF89B2BF18C268E851036CD5485,SHA256=349E314B100042AEF3477F41D56C07CEAF5F111FCCB67BC5877030347B857BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026571Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026570Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026569Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FAF-60FE-1279-00000000E601}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026568Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026567Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026566Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026565Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026564Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026563Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026562Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026561Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-6FAF-60FE-1279-00000000E601}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026560Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.781{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FAF-60FE-1279-00000000E601}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026559Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.767{2E2BE06D-6FAF-60FE-1279-00000000E601}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001026558Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:50.663{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59154-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001026557Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:50.663{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59154-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001026556Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:51.344{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D7DACD0527D2B800474F92F97E516B,SHA256=52A455EAD9794856094EEA401B1BA926FB799AFAA36668E068C78DF9045460AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889668Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:42.747{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com38300-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000889667Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:41.980{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52468-false10.0.1.12-8089- 23542300x8000000000000000889666Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:52.327{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20C4C252B199653BC9F39FD405FFD71,SHA256=191DDE4D5533C476C091F0C713DF73B424612F3998A781DEE5EB80AD610703EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026573Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:52.797{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296D6CA7C131D3D045FF7B6B850D85D9,SHA256=31C0F8B04CA873E5E163ACBC741FED008FC0FC93E4132E52A56EA5AC954171AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026572Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:52.344{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A0E27F0DA50F1FCBBA65591FD834CB,SHA256=C00C99C589BD62499A45D363B708DDE7E96E2BDC67FBB3AAC6BF974744746C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889665Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:52.265{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6FA254D2B15CF5E8A68646AE970AA4D,SHA256=6CAF83A4811BA3EB49FD225559519A8F6C532EA172535FE84BCD48A95D5DC4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889664Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:52.265{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46753E06C38C7CF8F05B112DCCEFCA44,SHA256=18D885E9792FB9A06C8905FBA0CD8FE7C3D6799B7BFB372FE1FB629F3BA3E2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889670Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:44.183{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52469-false10.0.1.12-8000- 23542300x8000000000000000889669Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:53.390{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F678A468CB1B700052766AA62CCA50,SHA256=8E99D62138AC5860A12ED40D9F8128720A665507B216C9AA9EB1A80FFDCD1799,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026575Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:53.272{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026574Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:53.360{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F263C99362013D81A282C17615E7C5,SHA256=CF97335B426B455B28E23F5009178602AB29FD5345D1804B7E35BD0A092A9D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889671Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:54.468{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989E7515E3C677E80AF994CCB7D2B760,SHA256=CA91544C75EB112854DCFBCD2C6930699A06F2042244EBBFBA644EE8BD04C10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026576Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:54.360{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AA4E95E79EC7BB28F9045A5FCCFE1D,SHA256=68040A26E18C5FED6A69E0272F14ED1FF2676890A6AD7708527D4EF7B455975F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889672Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:55.671{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0626BBCF77C67C13F2E0C19EB06CA2E1,SHA256=8B71B01F5344FAB0269F3B807EBEE9BF469FAAF49B7325F048E24397A513049D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026577Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:55.375{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB45F7A5D05AD738F5D3D9FDBC94A4CA,SHA256=D732A2B637CF63ADC80E775D42828D7710880D9A46EA84A59A876C761FDF4AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889673Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:56.702{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDB41FBD624A3FD5C125394F33DC3D1,SHA256=C2A03F20CFC4C9846CC7027C340842DD73D9CDCCB59A6CD2828D3A778973D0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026578Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:56.469{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA56348741C6ADCAA849761331AAFFA4,SHA256=130743C8278F42C8EC60C044ED15DE3C96106437A529FEA8759BE0D6EAD26B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889674Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:57.718{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF7A6CAE6EA53BAC0445405DA296CF4,SHA256=9852E0EA51FD0FF728F13F49DF07C03BDB90D1AD0BD0B7B9CB8CCFCB5430654D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026579Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:57.469{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91B625A337766D2B5DC9B1DD5DCCEF6,SHA256=69B6212F38ABB1959C3C552450F30F1DBC2C2F2DADD946FC0A25423D3F2B855A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889675Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:58.718{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BC85B9D0AA28030E79093F9A333051,SHA256=1CE390B3A9A8602F27C0F94499FDA7ACEF6B1E61CCDC7C7BA2915BE595E017B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026580Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:58.516{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B019057984513168007D55E6305065,SHA256=9C242BB05313BDE4134A7424A6748BF5867009D2545A8CD3744BD39214A63D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889676Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:59.765{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF988CA49C8678E2F0BE49119D09FCAD,SHA256=E0387560A161F6A0ADE3D8F4316FC104DD9E3FCFAC9778AC3554D88C7A9DEDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026581Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:59.531{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE52BA3F35439CAADDEA9F404D80F594,SHA256=082ACA762BCC57D75A7D8FC8F5373391533D20ABFAE64A0EFDE0F313587607AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889678Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:00.781{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC5E80713BA10403352637C0C05CAF2,SHA256=6BD1738A237B4849B3E20B996558749B2D5351CDED865CA6766A79A3E3F9D5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026586Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:00.246{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com32210-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026585Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:00.735{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774DA825D35B40565ED21E2052904D39,SHA256=D1DF31ABDCFE97343659B7355A071184B4F0B2783855941C2A7B5E9264964BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026584Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:00.735{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB64EF2A03DF116B9670CCF4FC06BE7,SHA256=C366EBEA5E00668A9EC98389B041F2FB89ADEE9BC65502A5A741E91946961A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026583Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:00.531{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6518101261EB18FF2CABB36E21E58E67,SHA256=1E9BD857F0E831FAE2832E59DB2B7591AD500A91BFF9ED5063E07520B16C0BB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889677Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:50.182{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52470-false10.0.1.12-8000- 354300x80000000000000001026582Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:17:59.163{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000889679Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:01.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAF61DA5A508549CC2B2EA423BCE483,SHA256=65D7BE88FC614E4AC580D09F121A9F1789773BA77CE32AA6813784C64C7BF6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026587Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:01.563{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB04C97AC001BDEB8AB2734B7D444D7,SHA256=7FB095D39CC0AD3301FB853B91D77A1B93CB50B4325377022F19A5081DA729BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889680Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:02.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4869A1322C4F57A63AB3890CF9F750C4,SHA256=30F03AD036132A4D441FD73C8CFA060A27C6CBACDF3624CDCCDA94F900FABC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026588Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:02.578{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326266B9A37D1C9C20B1F3D221C20DF6,SHA256=B9B243A66CEE834932E899A10F0D0DC951550A193DCDDD4D9C7FEDBBAC17C994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889681Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:03.812{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2A220BFD79471BEAF72E96B329A12B,SHA256=703BF9500513532390BE2A905316863931AD93BA42219F5E61E8B59684C85401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026589Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:03.578{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EC353812C8E590F1CD782152A530E9,SHA256=3FB6DB300E1E74AD3F37535BBDD3F4DB467AC98D8039B63B3B4CDE1A27A83B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889682Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:04.827{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4226378BDE530BC888001C0171CA3B4,SHA256=96E11B966DC980CE528A2C51E2C55B45B2BDA1ECDC6BB6EC3067B0D6F0CD3A86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026591Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:04.304{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026590Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:04.612{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAAAFEF09AE426F87B6D9F5EEB34CB6,SHA256=3CBC9F14E8C76102140784E7B64955B71F0C73696BA06511AB41652D5ACCAC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889684Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:05.859{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E71497F8291F32A0E80659C2C84EC7,SHA256=1377E9D74B212C92BC91D859DC58065913CE8BDB038015EBF124088703C5D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026592Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:05.624{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EF755FB7A12663E2DE2A1BBCEF8FC4,SHA256=46CE38937B08594286AF062810BCAD90FDB151AF003FBFE5DD600A0A498D4A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889683Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:17:55.292{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52471-false10.0.1.12-8000- 23542300x8000000000000000889685Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:06.874{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBBBCC9A0E5594D3B43EA4BF8546A97,SHA256=EF36B48C64AC1BEE5806C8A687510B9E9AA6BDA5B6A4B5B08DEEB90C8829FDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026593Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:06.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B716604BA7D6AE1314E831D1AD19DCD,SHA256=F4391B45235A5BA483FAA9C7F447094DA5BA83D5F5D0D2573FCD555E95FDCD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889686Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:07.890{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C9D7857422EF6B8CDC1EC05B82D491,SHA256=F668537F3EEE7E376AA121C2699787F7818EF145201FE7156EFEA03B0629997E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026594Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:07.642{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A5A59C8746CDB7F3E9FE1C88002874,SHA256=C8419F53D8152ED2616781C18D234825F8773C14D404F34DACE8555FD1DABC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889687Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:08.906{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AF7ADD27668098793802A76524D5B7,SHA256=D938A580A455CFB71DED1C9A0654E2E9219978978FC93E710130D19B232FA188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026595Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:08.688{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD65CDE468E27C91D7EF8487BA84A17,SHA256=3A75910448088EC1172EDF6F742E51DD5FC60D25BCC93B70BCAD81188BB5922D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889688Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:09.921{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5F2FC5610DAE3120243AEAB18E39F9,SHA256=70AD4E4B32992FCB70B2D9A52FA1174DAC47527766CB04DE6354ED8753D154E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026596Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:09.798{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FD8D9744F8064ACCCABFB18EA7BF79,SHA256=8AD0B6EF42A63BD5B1D81E8F3C2ED8C633AF12F3FD8685EBE1F4334489C40E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889692Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:10.937{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FB5F4314EBD339016AE397A1DD22B5,SHA256=7C5C4653EFA1E3CA1FC2F6E2F693F2C5DFA70E6024C4E84AC44C7DC4DC6A02EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026597Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:10.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E217ACB309AC15CFC2FF429BCACD65,SHA256=FAA83BA169C26BB93F2EAFC6E47480932AA5570E72789687F10416A05574EB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889691Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:00.948{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-13985-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889690Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:10.046{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86A119A829064B9469010E08CC97AA5D,SHA256=FCDE0924E52C7EDA3CC6D4AA1FBA94588D9829DC3BD418EA37881213CC0E155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889689Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:10.046{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6FA254D2B15CF5E8A68646AE970AA4D,SHA256=6CAF83A4811BA3EB49FD225559519A8F6C532EA172535FE84BCD48A95D5DC4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889694Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:11.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFBA842D04FE18FA8A232682871254F,SHA256=145D20CE2AB895E308C1AF3A2DF0C5DE3A9490291016E2392CDDB10AF7EDF60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026599Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:11.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652727BC013ECC2920095D78D2052355,SHA256=0DE0DCFD68FED92A9EC56EECE3CA2D39BF412B4928F9854A5F131A461D1FCB1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889693Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:01.073{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52472-false10.0.1.12-8000- 354300x80000000000000001026598Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:10.257{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026600Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:12.907{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D0D85EE75C7BD8310B76729187E4B1,SHA256=7742E5BC5FFB6EB5C5F9096DB007A6D63071EE41CAC426EB09920C3141D347D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889695Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:12.968{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247F7709401C357B3B012E72B6DF5747,SHA256=49486AF3BC03277FFAA235407E14E5FD191E6AFAA99EEE2F7C472B3B525319DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889696Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:13.984{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D59A1641C81799031A92B1E7CB4037B,SHA256=8B7D203F3E7923E855D381A95F55C84E2B6F8B859F1E716E26F403C3919FE91F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889699Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:14.421{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889698Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:14.421{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889697Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:14.421{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001026604Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:14.579{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0F5E6FDBD23B2C4749470F6706B3A35,SHA256=EFCB8EBC8091FF849111C21543FD043FF2770F735AB65A4200EC3DBE9BD57A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026603Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:14.579{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774DA825D35B40565ED21E2052904D39,SHA256=D1DF31ABDCFE97343659B7355A071184B4F0B2783855941C2A7B5E9264964BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026602Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:14.039{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.29.139.34-14326-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026601Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:14.126{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A01C86FBE3FF4A71AB9E3E93BEBE5C8,SHA256=FC679A32F6205A36E3438A897AAECF340CFDB392242902B5524BFF5637D31C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026606Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:15.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38C35B0CF420983E4FB6D1CB63F3A09,SHA256=325E0D7D8375A4CDDB8B855F3826127A3E25E19163B195002C0C885951453891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889700Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:14.999{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1752874BF672EE835A7ED7CC216A8C28,SHA256=AE798FAFB0194D329AA899EF8560AE705EFFB5555558EF4F1EE917A3CE34D37E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026605Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:14.569{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-33809-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026607Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:16.485{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2F0D185C18F60A9FDF0598A9C9314C,SHA256=F41537A706925E25FE0AD98019EDA204150F71BC58233CEC780FAC062384258C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889702Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:06.245{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52473-false10.0.1.12-8000- 23542300x8000000000000000889701Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:16.015{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AD1D80C19910E563ABB574B3A19049,SHA256=06792A8D6DF4F9F7138B96BEB8E144D2744A39F6E14DC7E06F841EEB0C8CB4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026610Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:17.829{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=41C308986ECC2891472A4D472D6E9FA6,SHA256=397E527DDEF2F076CCAB8D9870D2A335B7AB48A5A5ED3A54AB2B3E115AE2404C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026609Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:17.516{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EA043D87A593A8A0FF4EC3FD4807EF,SHA256=4A742F8415342219381D5981B50A74EEF2D5E1E9B61B06391543613834453B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889703Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:17.031{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDBD3404DF9612921FE19092E74EE19,SHA256=2EC1C9FD6A3698AE64FA78CAA8FA3C2F09FC6ACA22C94FCD31D0B08C4FE143EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026608Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:16.163{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026611Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:18.516{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365400D93BFF4591133F2A7CA1EC39C8,SHA256=644D0339D5DBCACE2A6C033E556505C841B6706AE51A7A7BDEF2B593EECA77A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889704Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:18.046{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26E1C7A2D2FBBD877AEF25687A7FEFF,SHA256=61712EA00CE71FBAFD3A995377E3A8A2EF612A92A88E5C7E77645C5CAB0E4E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026612Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:19.735{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB08DE9FDCF55066836397ED2EBBFCB1,SHA256=493D6EF3927313E2C067046AE6CE1BE23F7CF40DFC3771D5F451F9F8A8992C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889705Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:19.062{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B381CB9353F98671B898A4A24A4B5A4,SHA256=D5B1C6AD213675C074CEE78FEA4DA2158FB002D78C875B203313CA59B0702A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026613Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:20.751{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B55D5390552BB02AB406C9D228ACB64,SHA256=06DA978121B7DAA2F334B4F2335801D01280D7E0068CAFED67616196C7791F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889706Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:20.062{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1BE0DCD9C8EEBD33BF2BE5518098B7,SHA256=8B65833179D5CE7FDD162110095D085C999581CE526234B0381986002149F5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026618Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:21.751{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FABEDED25B4BABCDB492885C694C89,SHA256=912118439C897CD8F26F0E1DBCBC89932DBD121C19003BF937A56170ABEE61D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889707Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:21.077{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108A38D259251E20FDE1ED43A9ADA1B4,SHA256=DB81EE8DE293C6F91418205CC894BE45C96A90D6CDB8E3B6AEFD08F6B51400C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026617Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:21.391{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026616Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:21.391{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026615Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:21.391{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001026614Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:21.257{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026619Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:22.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16961AE144BB076C1CB7A1EEAFB841A,SHA256=6BF52F2EF50D3C1E520A9A1865283CBD8ED653B0BA8B0E4BCC685182957CED3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889709Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:12.229{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52474-false10.0.1.12-8000- 23542300x8000000000000000889708Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:22.093{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B0F9764BA246BF1D088F118A15591C,SHA256=9ECE6348BBC4C89F89730119518CF4BFFF17F3BEF925C1292235AED874AC1742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026620Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:23.954{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178AECE55EF23C9333AD19A443E72504,SHA256=AE62588B0C2930A6AB2AAE3AFF38C48E34E35271BD0F2FEAB248C53BBB666E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889710Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:23.109{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD4BD5B02835E379ED1743F74B1D3A2,SHA256=5D9E14699E0A8C416B727628C5FBF4C1A7802BA60A63AD6E2C03949CA1B2FE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026622Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:24.969{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED8066011B273D36084AD092527391A,SHA256=BFB40B0EA425809FC2BAFCD433BC726BEA130A6712F3D7846B72BB95F1A825C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889711Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:24.124{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA685FD3F562EF2F204E2C89978823,SHA256=5CBF7E0D2F8147510B824676F38B7550061EBF521D534AEDA56997033277EA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026621Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:24.891{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889712Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:25.140{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D71A9325A6090E6F953F05903F6F9C,SHA256=8D9EF3D53D0427EAD13F43174C3483A4635963D004404F29978519468A975BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889713Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:26.249{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527BCD4BCAAB7961CF15E21F26F4A5C4,SHA256=2AF7EF5749566A1FB9028CD54F3B4CACA8AF596D447B0697EE1CDAA9958854F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026624Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:26.007{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001026623Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:26.001{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDFBFEC7657D2BB737B62EC8CF9289D,SHA256=571620D621FF88C2207D650A2C684FA2FF8258C9ABC4CD465EC47701196A8973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889728Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.905{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FD3-60FE-8478-00000000E701}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889727Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889726Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889725Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889724Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889723Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889722Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889721Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889720Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889719Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889718Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FD3-60FE-8478-00000000E701}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889717Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.890{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FD3-60FE-8478-00000000E701}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889716Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.891{D94AFF6C-6FD3-60FE-8478-00000000E701}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000889715Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:18.197{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52475-false10.0.1.12-8000- 23542300x8000000000000000889714Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:27.484{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D12BFDD138FB43D57A50E106B819CDE,SHA256=08596C23B48E71BC849839C776DAAFD0116467EE34D3F43F4F40EFDD84838CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026626Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:27.241{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026625Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:27.094{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA0DE89C24EFD368D07FC3A5198B50E,SHA256=3175116CC23B5D1F72A06B0385DD94A92BD81715A3A9C4A7DF3D053C3FE0E3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889745Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.906{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7EBC388FCF02F3D5800ADFB42E8CC7,SHA256=4E622F5D468FE710269EEF50745291489CAE52D471D19A75E61ABE140F28DC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889744Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.906{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86A119A829064B9469010E08CC97AA5D,SHA256=FCDE0924E52C7EDA3CC6D4AA1FBA94588D9829DC3BD418EA37881213CC0E155B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889743Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.687{D94AFF6C-6FD4-60FE-8578-00000000E701}20683928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889742Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.577{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FD4-60FE-8578-00000000E701}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889741Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889740Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889739Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889738Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889737Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889736Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889735Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889734Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889733Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889732Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-6FD4-60FE-8578-00000000E701}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889731Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FD4-60FE-8578-00000000E701}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889730Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.562{D94AFF6C-6FD4-60FE-8578-00000000E701}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889729Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:28.484{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D398170D9424E36915F264758C955B1,SHA256=500432C4D01804EA89230B401C90CE669B81B6822FC5042A1612FCDCAC9ADE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026627Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:28.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94CA3FAA66BC2D425F9071B6B35AA43,SHA256=F0FEAB74F0672D68D625C9A6E0710DCD32668D8B3810343276827056844A48B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889771Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.937{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FD5-60FE-8778-00000000E701}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889770Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889769Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889768Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889767Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889766Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889765Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889764Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889763Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889762Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889761Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-6FD5-60FE-8778-00000000E701}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889760Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.921{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FD5-60FE-8778-00000000E701}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889759Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.922{D94AFF6C-6FD5-60FE-8778-00000000E701}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026628Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:29.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D7B386FA9EDAF573C9F6874E28D1D9,SHA256=F10E8C032751FC03FA407F50ABF1CBB85A79BBB15596EEFD487A63289FD7C6B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889758Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FD5-60FE-8678-00000000E701}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889757Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889756Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889755Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889754Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889753Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889752Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889751Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889750Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889749Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889748Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-6FD5-60FE-8678-00000000E701}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889747Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.249{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FD5-60FE-8678-00000000E701}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889746Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.234{D94AFF6C-6FD5-60FE-8678-00000000E701}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889775Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:30.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A685AA0FD8015157C54A7D39998B9DA,SHA256=E97CB8AA1686DFC25BB4862F9BCB2AE68F33EB7BB8FD6B916FBA6C50F8A0BD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026629Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:30.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893119BA0B3B2280729D4A97C25D6E65,SHA256=F65042FD70470FFBCBB19A140CB8AD7BB27169398FF5B0BA848C099D56CEDBBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889774Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:20.412{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-30408-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889773Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:30.296{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7EBC388FCF02F3D5800ADFB42E8CC7,SHA256=4E622F5D468FE710269EEF50745291489CAE52D471D19A75E61ABE140F28DC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889772Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:30.077{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141D1A69A0E84D3448C7BDD21E81804E,SHA256=73FD5EEAFA1F077F78EDB4F1C8B8029A8BC41A0EB4787800EDE08F89D3C961D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026630Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:31.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7674C77BF73273A7F8509F8750C83FD,SHA256=63F207214BE6A1FE99FAB15CFED5671A798A32C51DAAD6DAFC6461E186874508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026631Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:32.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B9B5D5006BF63D38F2E31A30846C57,SHA256=320D78E1BA0E73D735D1061FF068FD7A288FFD6377BF4E597E1A600F60DE72D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889776Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:32.140{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BDDB8702D60F3E033F2C7DD85574C3,SHA256=445B1BB40A38ABC97376365DE8138D6E3BF13F6A31160D5D1665F13562B77D8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889778Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:23.307{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52476-false10.0.1.12-8000- 23542300x8000000000000000889777Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:33.171{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6611B4047602D97C678783CFE79704B,SHA256=17428666ACC1A061B07424A342840AFD87575441E97B54A724A33C4045E4476A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026633Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:33.179{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026632Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:33.110{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4394C535C454AFD7BC66A7680EAEFF82,SHA256=B1BAAF07E98D97AEAE66E506CCDB00FED7B3A6E82B51980308DA25197BD9DFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889779Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:34.187{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCB995472AA58EB063610C5ACB0F6F1,SHA256=4375D060622844041FEDE328FD849771463A2C8193A603BCA7048E4AC47B4110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026634Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:34.126{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03D7092E8055A7979E02D6B22BFE46A,SHA256=9AF74997E765D49E904F318BBDF92A4AC3AA7A7EB88F86C75985213874B2B478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889794Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.749{D94AFF6C-6FDB-60FE-8878-00000000E701}38003196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889793Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.640{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FDB-60FE-8878-00000000E701}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889792Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889791Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889790Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889789Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889788Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889787Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889786Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889785Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889784Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889783Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FDB-60FE-8878-00000000E701}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889782Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.624{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FDB-60FE-8878-00000000E701}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889781Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.625{D94AFF6C-6FDB-60FE-8878-00000000E701}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889780Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.234{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78501D6AEDFDFE108E989328C1A84A8D,SHA256=015DD6C5238CCE9AB6B71B797D5243F9E0F7DF61EC8C4C18D9B8BE8BA3AA0B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026635Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:35.126{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096F5290F9776229FF96D8E72CF97B44,SHA256=1DAAF311DE19B9A192C123F4A86FBD5EACBAA1CA532F3383240DAF8D140286DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889797Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:36.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7465292A943788B7F1A0B134DBDC269C,SHA256=72B413B64766DC1C6BBC00C38421CBDC5741F4B96E9046A45D98C921850AA956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889796Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:36.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62CE4617E6AC337BF54B6BCE7F92879,SHA256=2F1D33D93AFC9C7C79273E1F2F6AE8DB00EBA6973D6C72AA40306A7C3FD4E1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889795Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:36.249{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC191B92BBDA4B726F24F52172DA7C84,SHA256=59401A2950BD14F8F6BB4F2DA412BF39D849C372A21FB6D75792E58BD6C44D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026636Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:36.142{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6DA5134ABFC953E963558BCA1ACB22,SHA256=CE7D851144D008073E46002892B91751087680C96179C7CD2A4D1EC4C2BFC49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889798Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:37.281{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA00839853A8CFD6864E133354745344,SHA256=D8791BE60E54DDCBD1635CEEB581C6CBF246D454201CF56141D98C1B76682387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026637Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:37.157{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6809D9F8115767FB7D30F2CAD39EC9E7,SHA256=371FE86AF0F171A03FADD86436136ACEEEC405F28855A96E00AC788171562D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889799Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:38.282{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C78515AD91DE7675F24FD3ABE9D4D8E,SHA256=7BD0F47B976D6E0A0CCC1D3454CAE1F1AE75E19E747750AB3EB3CB5A69281D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026638Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:38.172{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DF92101C6B632B0D40CBD61948A89C,SHA256=CEBA1812FB00D476D5B871BF490B1DD7E8ADC9140B1E9F1AAAC2B94348341E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026640Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:39.188{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7447C11AD756100037860D002A73CB67,SHA256=F496BA0FA1017F3BF2B43C8BDFA12E7554FEC231109AC83FF21104B0789CC7F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889815Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.748{D94AFF6C-6FDF-60FE-8978-00000000E701}37882776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889814Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.638{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FDF-60FE-8978-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889813Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889812Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889811Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889810Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889809Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889808Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889807Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889806Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889805Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889804Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FDF-60FE-8978-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889803Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FDF-60FE-8978-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889802Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.623{D94AFF6C-6FDF-60FE-8978-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000889801Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:29.259{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52477-false10.0.1.12-8000- 23542300x8000000000000000889800Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:39.295{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE364CB81BA811CC16A763BBE3840C0F,SHA256=AF66CC44DE531E74FB17E18623FB1DD1BA35B126589BA5323085ADB9BD66948B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026639Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:38.288{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000889831Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.625{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7465292A943788B7F1A0B134DBDC269C,SHA256=72B413B64766DC1C6BBC00C38421CBDC5741F4B96E9046A45D98C921850AA956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889830Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.422{D94AFF6C-6FE0-60FE-8A78-00000000E701}2920500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889829Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.313{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-6FE0-60FE-8A78-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889828Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889827Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889826Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889825Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889824Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889823Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889822Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889821Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889820Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889819Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-6FE0-60FE-8A78-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889818Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-6FE0-60FE-8A78-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889817Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.298{D94AFF6C-6FE0-60FE-8A78-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889816Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:40.297{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB016806937F00336FFD288FEAEF08E9,SHA256=CB6B8E3198C202C4BC7291523A9ECC9FAA11BBACEC8B7A4509270FB225FD2A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026641Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:40.188{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8624B43FD3013F549312A29B5D2294,SHA256=5C900D8D834DE7BA67524C3811A3AB313D4CA8082D1916ABA1B1F7129ADC80B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889832Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:41.313{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EAD1957D51ADAFD28E9A5E6B78C493,SHA256=4375F2C6771B8B6792370FB963B1531007AB417DE85F1B986BC62DD532BF3116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026642Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:41.204{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C4BA41CA2E4D9E1F24F11B249FF0DC,SHA256=299900A352942B2D42F88343F62C55C093ABF07ADE6389A87687E6CE5FB279B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889833Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:42.328{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCD43127EA71E19240C01F3711579A5,SHA256=CFA035B14F157D3C65CAF825EBDE8CF8895F4F05E3349633C64033134100297F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026643Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:42.204{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C624C21D4EA70C48B47B8A996CFA9BAF,SHA256=62BD3DEBFE02D8628EA716C25352EBC1C8B356D786A26D8611C95D9C0E42A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889834Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:43.344{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43435B04C9FA09250360C3570488920D,SHA256=1A7C4FBE53CF063757C6FDB6A08148700B32FE65BD6077D68EC6EEEED2C39E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026644Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:43.219{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6AB08985C94BB7834D539593DFBC9B,SHA256=B1BB5A9CF4F9E022F66BEF50B437D9349B0B03D67EB1B9A13D28AE2980A7195E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889836Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:35.198{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52478-false10.0.1.12-8000- 23542300x8000000000000000889835Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:44.359{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ADB5223E7297C058CBD8037F1123DE,SHA256=2660FAB7794B8AC44DFCB7138CF40BA0908CF26C3B5AE51CEF7DAB1458B9B7B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026671Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE4-60FE-1479-00000000E601}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026670Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026669Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026668Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026667Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026666Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026665Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026664Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026663Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026662Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026661Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-6FE4-60FE-1479-00000000E601}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026660Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.922{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE4-60FE-1479-00000000E601}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026659Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.876{2E2BE06D-6FE4-60FE-1479-00000000E601}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026658Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075A602B8F23EAB05047E23CB498E687,SHA256=39F0CAEEB7EDF7E2A1D95E2C70D3440E7628B3C4B0B02425BFEFA19BA3BC98AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026657Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE4-60FE-1379-00000000E601}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026656Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026655Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026654Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026653Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026652Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026651Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026650Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026649Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026648Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026647Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6FE4-60FE-1379-00000000E601}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026646Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.204{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE4-60FE-1379-00000000E601}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026645Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.189{2E2BE06D-6FE4-60FE-1379-00000000E601}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001026689Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.876{2E2BE06D-6FE5-60FE-1579-00000000E601}26362260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026688Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE5-60FE-1579-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026687Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026686Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026685Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026684Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026683Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026682Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026681Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026680Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026679Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026678Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-6FE5-60FE-1579-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026677Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.610{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE5-60FE-1579-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026676Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.597{2E2BE06D-6FE5-60FE-1579-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001026675Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:44.179{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026674Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD315169FFFF2603548458635CC41F0,SHA256=398212D231BDBBD4CA7187A5DAB3D05343A97AEB911CCD852EF66444971F206E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889838Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:45.375{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF671CB764C46C0C8EEF5A1BD8826F7,SHA256=B11BF3E5ED69973ED27D426BD1599E1B6B2DD61402AFA3CB027B4953ECC07F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889837Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:45.297{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C274794D7B4CD952E5D40CE6AF9E59AA,SHA256=EFEFCB816E497915026BC8536C202C57A19C77D819A345F89B2FDDF910EFE43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026673Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.219{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6547C35F3985EAADA38E18B9340DB3,SHA256=4A4CD7128CD06BBF0FC9A5371531B59B6A770CA22F53375989C883D8AB5E97FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026672Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:45.219{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0F5E6FDBD23B2C4749470F6706B3A35,SHA256=EFCB8EBC8091FF849111C21543FD043FF2770F735AB65A4200EC3DBE9BD57A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889839Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:46.391{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E585808FBA468D0A2A2B131DDCA3DE,SHA256=0FDF4DEE88BA8614F89CF284FDE9E1B64CFFE45E2719342675747878223E5EA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026718Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE6-60FE-1779-00000000E601}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026717Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026716Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026715Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026714Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026713Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026712Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026711Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026710Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026709Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026708Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FE6-60FE-1779-00000000E601}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026707Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.985{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE6-60FE-1779-00000000E601}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026706Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.970{2E2BE06D-6FE6-60FE-1779-00000000E601}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026705Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6547C35F3985EAADA38E18B9340DB3,SHA256=4A4CD7128CD06BBF0FC9A5371531B59B6A770CA22F53375989C883D8AB5E97FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026704Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.501{2E2BE06D-6FE6-60FE-1679-00000000E601}38807036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026703Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE6-60FE-1679-00000000E601}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026702Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026701Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026700Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026699Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026698Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026697Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026696Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.297{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026695Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.282{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026694Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.282{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026693Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.282{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FE6-60FE-1679-00000000E601}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026692Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.282{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE6-60FE-1679-00000000E601}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026691Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.283{2E2BE06D-6FE6-60FE-1679-00000000E601}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026690Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:46.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A8801CE14CC1654F65C60A870F3945,SHA256=66DEEF089CEB6BF4016595858B5D6D4B78660A5F2053B83F64001595D90282FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889840Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:47.406{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443E271852F67A5E0FA5A4D195572A8,SHA256=80C540678A29080B8A78D698FD606B507C2CB81AA5841F83691CB65D5581F081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026734Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.876{2E2BE06D-6FE7-60FE-1879-00000000E601}62361576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026733Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FE7-60FE-1879-00000000E601}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026732Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026731Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026730Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026729Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026728Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026727Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026726Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.672{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026725Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.657{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026724Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.657{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026723Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.657{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FE7-60FE-1879-00000000E601}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026722Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.657{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FE7-60FE-1879-00000000E601}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026721Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.658{2E2BE06D-6FE7-60FE-1879-00000000E601}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026720Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.344{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC00C62338F2BEB636C3D5296633557,SHA256=9D8DE328EB3F5ED1EB4B0096C56502E9789852725C0F90AC9364334196FB4507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026719Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:47.157{2E2BE06D-6FE6-60FE-1779-00000000E601}46844920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000889841Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:48.406{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5819736BAE2744EC989C03BB638308B6,SHA256=A77BCE593488FDFCF0AE87DE25E8D10D63EA27651DCCA62BEF29DC98EA91850E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026736Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:48.344{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B827A0C26867AC5B2C21F22921DF5,SHA256=37184AD5925C36C1E22DFC02E18631ADAE48A6FA2A0D7953BAA2555F02B270A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026735Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:48.157{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE21BA7BF9BA56D529629A2B18F9330F,SHA256=9C42795B8C48551FDBD22360555F7A978BB68B2C596236FA92DE33AB375A06C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026737Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:49.360{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2062F105F178EAA98AEAA72150BC24A,SHA256=C87E78A0FC579F0B4706933EE4EBCE1155211D8FDCA9C6940B5FB9293ED34B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889843Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:49.984{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889842Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:49.422{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80136681C625B9D6B0E79CB3F12D3FA,SHA256=CAF16C152A1A82F5C2DF09AB3FB4CF5E613FA4DD6B9D1B412270546A45845999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026740Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:50.657{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C6EDC5736B6F704BF6A4247C3D7D16,SHA256=009E95C294A46AC9FD7921D768DEC8C519580612BABF8BB5A4800F6A98C94A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026739Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:50.594{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBE6719004433E1CBC951617227BE11,SHA256=372BBAF9CB8B98C3561EFEC671C0C50DF0A118BC76319A18A5F17A543B9E3126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889844Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:50.422{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2AF9A618835983C687C57E00B825E8,SHA256=F9950E2FA6853F1E0CC62A0AB8F4B6AE16378FF80D3AE010B24B3D2589B6F19B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026738Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:49.288{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000889847Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:51.656{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE691656E143AE7418C90189DAFEEB9,SHA256=78DFD55C804A682B31695161AA0B9F4FE31EC78F9BD3B30E3DAC3FE0C9538518,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026756Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-6FEB-60FE-1979-00000000E601}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026755Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026754Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026753Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026752Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026751Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026750Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026749Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026748Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026747Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026746Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-6FEB-60FE-1979-00000000E601}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026745Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.802{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-6FEB-60FE-1979-00000000E601}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026744Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.767{2E2BE06D-6FEB-60FE-1979-00000000E601}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026743Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:51.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA830436D41C6B61EE1CCD29CC5E5FF,SHA256=7F3083325A965225A160A0C4D620D36D0D167F815BA15A9168E359ED3A85825E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026742Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:50.664{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59167-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001026741Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:50.664{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59167-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x8000000000000000889846Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:42.010{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52480-false10.0.1.12-8089- 354300x8000000000000000889845Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:41.104{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52479-false10.0.1.12-8000- 23542300x8000000000000000889848Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:52.844{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFE0ADD75822C6EA26144C992A68ACD,SHA256=B4C468FEA6B69B3076A2D9C59B4A7BA7DB2E4D1DA398F7249EF23DB04F38A79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026758Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:52.782{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DDAEFEC68E348957C58BDF601D509F,SHA256=674956184C1739DB82F420674F3441E656132D80A5631210222AED1EBB19284C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026757Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:52.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C529ADC0DAA1818C14BD3B2F89B4F2,SHA256=B8D02CE83B5CF5541B4863F7B41BA72ED85AFECF0A24C0146C75F9C1DF4157FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026759Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:53.860{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E78F587A703B8D64EFD5E0FBDF4D7,SHA256=0863C9570C8B483C4AF23A061733D08788BEFDB02A6326FF1ED8C5A88C7D5F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026760Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:54.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D93D7BBEDB0D3327E7A028FCF73E24,SHA256=DF75DC9EDF61323543C3FB8E80D861620E043C8F04627B70584BBBED7A29E495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889849Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:54.078{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF463DEA1132CC073DBD9AC4F9D1DE9,SHA256=0CAEABEE9F48FAD9FA7705DB40C29EE853F587B7C5F6B10BB24B0188F667E897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026762Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:55.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05525ABC6E8F274005D26BB7C4BF92FC,SHA256=ECFB3F0DDBC4FC64971203DAF5799BE04D2A40B8B41BE72CE4DB312EF20F3469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889850Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:55.094{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C877A5C555961B994517CF6BBE08832D,SHA256=993368E395F02C10A4322B52D5ED4AF0C4F9A2B3A3AC85D67DC4259A0442E68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026761Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:55.242{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026763Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:56.891{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9996C2DD883F055992127C38BC8A144,SHA256=78548ECD463F8E0FEC22FAB0C814310EA104AFDEA5E6390112E230DDBE6397B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889852Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:46.182{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52481-false10.0.1.12-8000- 23542300x8000000000000000889851Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:56.250{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B639CAA10DEF0A36CB309743DA418F3,SHA256=87C007AF6F4CA6C299F99E391A115587C5958156BA498F83F87B966435D757F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026764Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:57.907{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C4E8650F707E829BFF647B1639E1E4,SHA256=387C1ADE3F90FCB71459C3F7CC7FFA948D4472348E00B47F7BFE7A959D68E9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889853Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:57.266{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C69FA35DD61F1DC55A0A965AC4655E,SHA256=A26A25E6BBF59410DED3A260C09884106C8F121CFEB79CE0FB5905FFE023F416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889854Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:58.281{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C1ECBA9D1BA71CAB04B0B185382A59,SHA256=1762C5E2DB8208DA16AC39BFE1C24F263ECFE1C5210E89D8D479A30FB6CC012C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026795Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026794Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026793Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026792Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026791Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026790Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026789Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026788Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026787Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026786Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026785Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026784Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026783Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026782Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026781Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026780Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026779Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026778Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026777Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026776Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026775Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026774Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026773Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026772Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026771Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026770Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026769Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026768Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026767Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026766Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026765Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:58.172{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001026796Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:18:59.376{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BC3EDBDA11175A6C5CF8E58BB2C56B,SHA256=DB29535197CA01E8A796D3B79EC25CDF12378A0D17719643ED11DABCCF7C9A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889855Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:59.281{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA3AE493D57EBB0F28F33A1C9108393,SHA256=C5F7E30426FD6E9EA1157A14BAF65E523276D5B59AFCB1F35F795A1F42B15EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889856Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:00.516{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679C15577ECA02BEDBAEDA20EFE23BA3,SHA256=51464163885F45A20F8E021C3E1812E4E97A397B83812DE04A7CD92FE7CCF494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026797Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:00.610{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D3A022319BB9BC5F37C29070E8D896,SHA256=4CB9AFF42E07538745C484451AF1DCC85DB9C5C524954E9DDB892E323D7C02AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889858Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:52.182{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52482-false10.0.1.12-8000- 23542300x8000000000000000889857Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:01.562{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A95690257786E809B7B1B884774AE5,SHA256=7AEB0C59B3B9A17C577A035CDBC87F2753BCBDA274D5AA5D485525088B5E7249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026799Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:01.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5564D8A2DCD05001EDF0CA33BFB4C75,SHA256=DEB70A5CAC0DC7248434AC2243716C68D0A060DE2660951B0A6940AE54CBA720,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026798Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:00.335{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026800Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:02.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E137D3195B006DF54AEB13F53AB2D973,SHA256=9E0DE31AC9FD685B3333FBF4C563108AABB4EB8D4D86E35EF5BB9EE389E93EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889859Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:02.578{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0B4DF42A16B4994635A99693E29390,SHA256=80D173EDFA9B305198B6175AC161DFB930494BD6145F20CD4684D5F8264E19F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026801Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:03.641{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44B73A32BCC2234E5250DF96A49D15A,SHA256=C6316A385D420C9BFD6B5DC0157C749BF5B575C54389FC0CD21E4E119E40D297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889860Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:03.578{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D3347B286D53E5496D1DF4E7250212,SHA256=F96447B25B16FE300A42D7D4C07785B90689290E8E4618555555C14C74462AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026802Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:04.688{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93C25801C7BFE82F3742B644F17A87A,SHA256=7AE49A12B15051B6DD132609E71BA5376E262FEC6393EBC3F0EC11E1A09214EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889861Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:04.594{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35542E452CCF14CC2DEB5BC2A2A67D9,SHA256=8E6485462CF0EE25B212C0DFB20469844F807FFCC578DCB20984E51213FA023F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889862Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:05.609{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282A653DD199A87C30E104E78487F72D,SHA256=06660760F6F45003EC875D600BE4BDD106EB85C622FF59D1E360A3D4D40F7025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026803Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:05.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A4A3E3248615DECD5F968F73CAC275,SHA256=7E252020D350F263BA59BAD0B6A914541F771875654B553D83124FEB2BD07FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026804Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:06.765{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A6E14C88B145AF64D3F3CEC8E82DF0,SHA256=0196A34E8C76F0B8A7C005128933393F94DFA82364D6442C82D97254FD370AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889863Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:06.625{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF701C4390096CFA16F7A87D8931FD11,SHA256=006A6A843212EFEC81A3AF0EB50FEC89EB0FB5F51E0D07B2565F42074F244D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026806Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:07.768{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D07E63BAFE0FE7F08617AC630958FA8,SHA256=F5F69CEDE3A5D6DB1F48F40185A280EC91CD7DCBD67F4207CFFEEE3A091CF724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889864Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:07.641{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045C71759BAE83410288F4A4105301D,SHA256=1926344C797505A9457CF13806629B228686D28DD76ABA9A4A5AF9FE4DD64D5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026805Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:06.352{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026807Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:08.784{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374FC051653CA39591AA3583FF40AFBD,SHA256=1A0782086B5A6A698EC51101BA622AA8E5123D6DE11086BEB970FEA4A5DB4F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889868Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:08.656{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F78C44886531AC5596EFDEBE1461D0,SHA256=1630B3402CE6FEFB8E19F6C4978D6E4CD193B294AA986CC7C40B8BB64502B5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889867Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:08.516{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADFC3628353B57B35E446EACE6DE186,SHA256=8E347C6246DFC358D94AB89A1D289DC789C3EA26D40F6238FE9B2125693400DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889866Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:08.516{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DB4635956EB2697C708CD92292251A7,SHA256=676B1D3E2EE88DDD8BBDE0918E24933071306D6669B1B1C760DF910F011E1E99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889865Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:58.103{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52483-false10.0.1.12-8000- 354300x8000000000000000889870Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:18:59.262{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-53451-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889869Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:09.672{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147139DC32137E09890477FD498E94B3,SHA256=4FD445E97541ABAB9DC7E68B6B5F374ABD1D82D1DA13F24F63BABCA0D1F8B640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026808Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:09.799{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A050263F43FF8578243191043F2D80B,SHA256=C2F4783AE9BC218C1402DD00F4E31281E9136A9E1C3ACC6E197FB20245BF7F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026809Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:10.799{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0682E4E3F61089256FA73BCBF6554FAE,SHA256=AB29431117395C5F7EAAFABA392C49A0DD56E7B19C5E864029AD6C5A8B5B6F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889871Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:10.687{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF403FCDBDDE390813EFA3D4EA71A37,SHA256=90F0C8F958D2D4C9329E9FF25CB9F7A12E508975F818E4FBF0D4AC6310DCDB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026810Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:11.815{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AED07D12AD2AEA52EFA35B087BB10E,SHA256=9FEBA26C3143DC9C0A8545D3BF4D65D2A1A9A67EB53FC0E8AD3D671705456376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889872Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:11.703{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64375CE77E87FA4E2A4544EEB56F7F34,SHA256=7B629753090C24507D39884D5E7CCDF6D2445E1A6290D0A4944E8EFF6E946073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026812Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:12.815{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D1C01BCFD7F7331811F8B239FF3DF6,SHA256=6FA966FB673BE3B95BD5428483F214C4AE94448046CE7C8C16F9C44EF2B080DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889873Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:12.719{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE87F2CC4BB8B748C769EB3B125FDF8C,SHA256=9C8F753CA7533F1967229220D180E739FCD35AD77AD3EA8C6A2D734769AFB7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026811Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:12.228{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026813Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:13.831{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED9944AC27227B129C93F78B9284F01,SHA256=58302EDF719827558FE0F9094687DFC1C010260ACDB220E14F1647567F3D8FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889875Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:03.244{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52484-false10.0.1.12-8000- 23542300x8000000000000000889874Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:13.719{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2F847A2EE844CCC0471498C5D64F80,SHA256=FB3D9A505F68CBFAD471F19B24DBD94DCDF2E544517F0DAB57C884A339EF5C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026814Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:14.862{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061DB0603658781477D9AF476EA81FC0,SHA256=E609A508000ACFBE5D934CAA514C6D9A8D5229B09F13B2F49DEBB990BBD7BD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889876Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:14.734{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D867FF41EB05AB492C7859F66D292F,SHA256=5D5BB4B8129E6ABC2189B1192A51AC672255D7802299C96D177E1A371DFC97D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026815Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:15.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19135AEEDAFE36D06BB6AA3F02F56EE3,SHA256=C170B9B9D7BC276C0DC4CA4500EE4F21D7E921E6F4E353828D2EE324222DD998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889877Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:15.750{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5799743F0F4132D68F05D6CB22325120,SHA256=C8F57B0C92D1E7603340B1820D9FBD6DE6330133DCC5ECB7C9E472EC1522A849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026818Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:16.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6EDE673C905DA5FC4766864B0765E,SHA256=B1B157CABF132C385CF3C369B87CA2BBF60223BC03361B9BBB687396C70ECA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889878Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:16.766{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BEF2EA095D92A53D795E76F8B626E6,SHA256=484203D95EC806DD999C3EA830DBAC3E4A627F03686E34F2160187033B98CB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026817Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:16.737{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7BE8218BE918254F2AB5BFC2F570B4B,SHA256=2FF9A1CA300BBBD5A2D9BCE147F52B9428D0770AC6572377156C7EBB7A69DD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026816Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:16.737{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46F9DF93F525E0A0D742F9DD48F5A1CF,SHA256=B4D56993D674628EBC12B61CD63844BBC113B5A273F028F4361D49F38DAC3B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026821Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:17.909{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C23F5025865B890493B346FC8B1336,SHA256=C85AC083269BE450032D2111682396C8D4178E454E7BE43954E75EEE027B13F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889879Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:17.781{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E823C0DF1D29891EC0FC33C3171702A,SHA256=6C3595315798A418C7F18EB8450B852434047D4F1B470CA1120C3720AB41FE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026820Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:17.830{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B76B786173393CA114D4B46000215D6C,SHA256=538FC8EFBD91AECFE1F3FE781C3FD48F8A9A8B55BF10BA3E9BA1A8B95815C115,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026819Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:16.508{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com18356-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026823Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:18.909{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206AECC8B8F652B1B97540FB8ECE0120,SHA256=721297A50AFE8395282273625E025D3A3467A272073DA337737E22542C0BCCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889880Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:18.781{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F8BD7E24AEE47D26A944EDCBC1E814,SHA256=78603A6E92550AAE3088F2CDE95E55BBF920ADD0A0B08049E4127E579FD1B06D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026822Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:17.306{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026824Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:19.971{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290E89DE46B4014FB022B7B23190CDBA,SHA256=78B539F807C80A9C20D730DB238F24F6690676E7BF3E2507FCCD48DF3CF65FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889882Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:09.166{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52485-false10.0.1.12-8000- 23542300x8000000000000000889881Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:19.797{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DEB8589C7AC7FCD7F4FE5E1EDA5FE0,SHA256=A6EF26047AAC6B00045C7C91F82F5F5C4749AA4A2276DD5B6D7CC9166B61A23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026825Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:20.987{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662F716CC98048C511D0CB20390829AB,SHA256=C7C20B2103D92E746B7ADD9A899D20A5B5BC3FCF973E0858C544A45ADDA359FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889883Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:20.813{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40DA7B7D49723D95F55FE7D7EE72DFF,SHA256=0E2A85269A26B36A797D9FF4578AF657AE64F6C107D9A335B8EAF537F6F3CB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026826Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:21.987{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37370DEDCF83DABE5F18C90F0F039679,SHA256=EBD17FDEDEB773CA10497EE4F2E7E064D5891739DE5B4267C2CAAB03B1393B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889884Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:21.828{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA645CEAC9465E3DBC19B75D62FE838,SHA256=15C1DE604E9AD30E6997EAAC2DE585B4110C6B4F14AEBC77FDF806C1F88167D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889885Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:22.844{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D05DAE144FF87BCE9900D3BCAEE9BB3,SHA256=E48D69B515318E6B0914333C8DE6FC445CD6A7395DCE569D222DBDCEC141125D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026828Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:23.212{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026827Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:23.018{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EB13DD8322D968C9D966FED513F153,SHA256=F7ACE4A22388FA448EF74CA4E93675508702ACDFCC3A7D81F8E0B014479F6935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889887Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:15.103{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52486-false10.0.1.12-8000- 23542300x8000000000000000889886Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:24.062{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C5570F213FC0ED0A9B67A2EDBB71F6,SHA256=8CDF1FF6D001F260DFC72281515A6AFDFA52933E89A9DF659E90F600F86F1C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026830Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:24.909{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026829Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:24.018{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4DFB847040A9652CDC99752213EDBA,SHA256=EF6BAFFF51AADD1D330BF7ED6576C2F4195D6841A8DADAD9AAB7A6C6C30A2C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889888Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:25.297{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616ABC22C3CFAC270E50EC2F6DC1CC08,SHA256=CB7A0F0BA5D6B30D1220356FB48899570D12FAD9CEECA8CD3CC6BFB02BED148F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026831Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:25.018{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9626D0A3211B472A2F172C285FFEE9F8,SHA256=7C3E74091A15DEB33A934CE98D9ABA25BD3E7CDE1F0CE5CAE3D1621824BE4F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889889Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:26.531{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03C71EACD3B62D3E69B787E03EA7E1B,SHA256=77F3F186E97741E3F5032A10CF52CE9EF425C7145C327ECB197856E8C4B22B4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026833Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:26.025{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001026832Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:26.127{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD6681315A6CA2BDF7F236308CD4A4E,SHA256=FF06270A0E275943B34A2C28E2E1C5FAF41762F2974067F1EBCAFCA352C04FD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889903Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.891{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-700F-60FE-8B78-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889902Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889901Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889900Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889899Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889898Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889897Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889896Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889895Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889894Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889893Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-700F-60FE-8B78-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889892Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.875{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-700F-60FE-8B78-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889891Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.876{D94AFF6C-700F-60FE-8B78-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889890Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:27.578{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80744039B56BB1AE0D8E63623B3C90C,SHA256=F3F29F935187C9FF23DE5E08E6222C7C37A84C48DB987B232FBCA753E218E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026834Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:27.205{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E325FF8A879A98BF38EBC9D54276095,SHA256=5A1BF0A0B9BF85F69D5F085B2BCF6617FD9B0072CE6D8ECA653A5133C71A9C8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026836Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:28.322{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026835Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:28.205{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B92ED6A6080505EAA480A6BF7F9109,SHA256=BD137BC4E9C91BE19DD567A8D9395A0C4AAF5F55D605367C97FD908C878BDF2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889917Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.562{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7010-60FE-8C78-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889916Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889915Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.562{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889914Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889913Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889912Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889911Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889910Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889909Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889908Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889907Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7010-60FE-8C78-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889906Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.547{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7010-60FE-8C78-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889905Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.548{D94AFF6C-7010-60FE-8C78-00000000E701}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000889904Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.000{D94AFF6C-700F-60FE-8B78-00000000E701}6361424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001026837Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:29.221{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268A4B4800ADDB1AED31107DFF101AA3,SHA256=86B88819E98E495411BCBF996C0921A826586786313896F8ADC6649E13A9FE8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889946Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.906{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7011-60FE-8E78-00000000E701}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889945Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.906{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889944Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.906{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889943Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889942Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889941Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889940Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889939Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889938Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889937Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889936Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7011-60FE-8E78-00000000E701}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889935Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7011-60FE-8E78-00000000E701}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889934Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.891{D94AFF6C-7011-60FE-8E78-00000000E701}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000889933Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.234{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7011-60FE-8D78-00000000E701}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889932Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889931Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889930Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889929Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889928Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889927Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889926Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889925Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889924Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889923Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7011-60FE-8D78-00000000E701}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889922Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7011-60FE-8D78-00000000E701}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889921Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.219{D94AFF6C-7011-60FE-8D78-00000000E701}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889920Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.016{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1103F6A39B53591DE70BF69E85CD465,SHA256=7238D649D21A7E1344D577A0DA2E8B8F920A198DB64347A43534C21CF1E2A75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889919Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.016{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D3881451794F68A4C95B0AD2FD9804,SHA256=C30E491BED7D10F94D589085B62FF9A2D3060281F5EA0EDC2216C300EE3805C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889918Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:29.016{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADFC3628353B57B35E446EACE6DE186,SHA256=8E347C6246DFC358D94AB89A1D289DC789C3EA26D40F6238FE9B2125693400DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889949Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:20.165{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52487-false10.0.1.12-8000- 23542300x8000000000000000889948Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:30.422{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1103F6A39B53591DE70BF69E85CD465,SHA256=7238D649D21A7E1344D577A0DA2E8B8F920A198DB64347A43534C21CF1E2A75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889947Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:30.156{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7735FE79A012846C11593500EDB62,SHA256=93274837D9D1210A76DF794BF66FFDF3AB1EA8E6F97451F6623122CB0FFCC044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026838Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:30.237{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AD4813C29F5C830F246951C72BE13D,SHA256=A2F976ED5D6A603BE5444ABB342C7F1C38FE18490C92501A275AB5F3F9FD4D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889950Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:31.250{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5619E4B64A3738BD7017B0D41DA9B7,SHA256=DF02AABC20B41638718CC7E7A6610F079E5F2EF84EECBC4B9688A6422EE694DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026839Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:31.237{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FF4FF35BFC835AB91D10B3E2B199B0,SHA256=D412136AE6116D4F46367D857F244218EB4AB867828094A8B595B966C58A4E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889951Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:32.422{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1635B1FF0A90CBB547D8A7BF8A6769,SHA256=D98C9F64DBC37DA4715A16D97FF579F5AE4E68674E8BF87655398A6DCE55254B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026840Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:32.252{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD7FD9B0B8FDF127D63245CC9AA8734,SHA256=FBD04333EE8BDE98EA22E2353EF4E3D1041FECE6EC36871EF63212AEAA2174C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889952Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:33.453{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24919C00E17A63BBA3889AB521796A5F,SHA256=AB27F3A3E417E6406BEC42E857BDE2D86A2E787AB9BB94606C539CFCE6240096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026841Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:33.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C876E62F05A2B382D5FED7E03981C4,SHA256=879E6E85A356204B2A7C1F0C701097364C091F7415E7C02DE850E496DF221758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889954Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:25.274{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52488-false10.0.1.12-8000- 23542300x8000000000000000889953Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:34.469{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF04FF73D5881BD80539CB92516E188,SHA256=6BCC8334AA942C1F21BABA1EBF8C49E08B4BACAF8AFE3AE5CBBF83550E4C3BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026842Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:34.284{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B89C7242878C556EC6A9F6C8189ADD0,SHA256=52F5AAD54AC8C4A44070B7AC37A775AACC8939D85E847EB81AB34B2FCACBF4FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889969Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.766{D94AFF6C-7017-60FE-8F78-00000000E701}30481984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889968Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.656{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7017-60FE-8F78-00000000E701}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889967Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889966Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889965Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889964Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889963Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889962Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889961Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889960Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889959Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889958Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7017-60FE-8F78-00000000E701}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889957Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7017-60FE-8F78-00000000E701}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889956Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.641{D94AFF6C-7017-60FE-8F78-00000000E701}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000889955Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:35.531{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EA80B45D734D7540E480598852751F,SHA256=67E0DB130A5D30296E6E2D6EC88F8B728C8AB41D73DC4E23653AC49A6E2C5C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026844Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:35.284{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1788EDA3F44D80B5B11EF49F60B86F0F,SHA256=03826733AF60C39129476D7F873219412E4846F2D9C1D3C19FCFD6BCCA0173A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026843Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:34.181{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000889972Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:36.703{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA1649B63DF9217CA766583F2901A9D,SHA256=712206C2F839BF514A24FF39967A464EBD70B03EDB6A576127A141F3CBE5934D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889971Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:36.703{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D401F1C8D1986BFB1B9679D34580BFC,SHA256=B8426958FFC1354D7707C37F0117779A66AFF142A9F9BDAEEC94113874A18EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889970Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:36.594{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0CE14D577ADA70E409BA54A5DC9B4F,SHA256=098E9361231F208EBB7A6669F7882191816639EEA221234BB3428598077A3473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026845Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:36.299{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DF05A7A1E9404D44E575090334F155,SHA256=4216D86C6EF4F9700A63380D47AE1B2CD6A5BEB831501F2A1F70CE40202D3657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889973Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:37.687{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388652E0DF928F319C6CDB5FF4C658AF,SHA256=74474ED3C96106BAAFC7F1FBC20173E0D8C8469465CCEFD6357054B18E39D8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026846Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:37.534{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518AC8A7CB2423481869C587F0A9100D,SHA256=F6D4B397B83FF5569C84694F2D2117ED65649AD1AD70CA5D5F199718C537EA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889976Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:38.734{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0054F4948FEAE035E42812F03164962A,SHA256=E7674B983650A736EBC1B055E89ABBC418E831E4A9E0F21644DD9CAF64F9A93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026847Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:38.565{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5920A3193D5FCD4FC4AD05D6923137EA,SHA256=A52123268E96053EA66DD0AB79A76A60F9996511A09EE4138DBC96314D799C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000889975Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:38.687{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA1649B63DF9217CA766583F2901A9D,SHA256=712206C2F839BF514A24FF39967A464EBD70B03EDB6A576127A141F3CBE5934D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000889974Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:28.059{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-33553-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000889991Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.804{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58E3DCBCDBB4C6C2DE5C1DD2BB533C,SHA256=9A671E899D8A58952BA6500430DB05FE0AC92EE8233FB90E2E4A6E8B9631A882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026848Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:39.580{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D8C5D9C1987AF2D1C5F1BFAABC52F8,SHA256=F84563475CE437DDFDF6E8733118F80D8F6525C694517CB89C743FAEA8F43A48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000889990Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.782{D94AFF6C-701B-60FE-9078-00000000E701}15243604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889989Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.657{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-701B-60FE-9078-00000000E701}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889988Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889987Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889986Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889985Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889984Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889983Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889982Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889981Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889980Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889979Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-701B-60FE-9078-00000000E701}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889978Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-701B-60FE-9078-00000000E701}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889977Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:39.642{D94AFF6C-701B-60FE-9078-00000000E701}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890007Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.818{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4659FA81CF9F4AF0EA4BAADF3C353209,SHA256=504917D2C878E6CB4B9A91DB9BBA779A4DC27DAD23AEC7E9D3DD5DE90EB6C8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890006Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.813{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1A6CB0228BDD66B3A1B40A24C8C9C45,SHA256=210AC7974BA0BA090261560CD9D34B5D6E47C8A9D7CA18ACFA39B0E7B8502DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026850Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:40.596{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398C68EEE5C6C83C902326F42BA21257,SHA256=4A55C4533553669A6124F8225B620DEFFD95D0C8301D7C8C032E41ED43F4E7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890005Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.373{D94AFF6C-701C-60FE-9178-00000000E701}31002492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890004Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.263{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-701C-60FE-9178-00000000E701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890003Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.263{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890002Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.263{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890001Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890000Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889999Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889998Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889997Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889996Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889995Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889994Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-701C-60FE-9178-00000000E701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000889993Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.248{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-701C-60FE-9178-00000000E701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000889992Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:40.249{D94AFF6C-701C-60FE-9178-00000000E701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001026849Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:39.306{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890009Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:41.850{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD021147393F6011BD2B73D0B7FAFF1,SHA256=D8C7F445B9EB14E2ED5ADC68C4A5A299C24D927711723A14B61D834808955AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026851Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:41.596{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34F2FAE75A9B20AB9B8383DA0DF863A,SHA256=9816FFBD13C75092EC53A1862881ACEC0BC182124B461E16C7A8AA48A7A609D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890008Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:31.150{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52489-false10.0.1.12-8000- 23542300x80000000000000001026852Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:42.596{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4877124BFB77C79E4D37A8B118FE03C7,SHA256=9741F5100F5DE862A84FEA811AE9F6038490E7FF3891256765177A795FC192D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026853Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:43.596{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3810EAEF6AF6EFF6686273C6046CB22,SHA256=A30DBAF622676BBCAA79737B5D399E74156214634CBEA00680F0538CA5A34777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890010Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:43.022{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F0504FB4EC5DF5FF4850607EE8E823,SHA256=F25AA22E263959DFA94846A8611842D7B1AD3569CC9974C7C03E7FCC28767B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026881Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7020-60FE-1B79-00000000E601}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026880Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026879Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026878Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026877Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026876Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026875Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026874Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026873Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026872Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026871Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7020-60FE-1B79-00000000E601}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026870Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.846{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7020-60FE-1B79-00000000E601}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026869Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.832{2E2BE06D-7020-60FE-1B79-00000000E601}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026868Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.596{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFA131E459180931881D8723C0C4006,SHA256=1486BBBF8600571D369E7D28A518417FE2F508D7C7B242FDBCFA345FB9B95115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890011Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:44.053{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D9BF68516C2EA71D9858C99B0AB623,SHA256=AB188CC086BCDDB5FC33E1BAC34B55CE5BD9338F5E628F7E88707C156A7BD631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026867Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.424{2E2BE06D-7020-60FE-1A79-00000000E601}9447100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026866Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7020-60FE-1A79-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026865Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026864Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026863Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026862Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026861Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026860Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026859Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026858Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026857Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026856Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7020-60FE-1A79-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026855Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.221{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7020-60FE-1A79-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026854Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:44.206{2E2BE06D-7020-60FE-1A79-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026899Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.674{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4325A943FA0E8B41EC18CC0A055620,SHA256=617D2239BF285A4E8C79CB16E0846CE6CDAFA1BDA1AEBCC8D5341362728B4274,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026898Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.659{2E2BE06D-7021-60FE-1C79-00000000E601}19446104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000890014Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:36.233{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52490-false10.0.1.12-8000- 23542300x8000000000000000890013Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:45.303{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A3B3837B465BAC6FA7210613EB67C78B,SHA256=DDF0BA8216CCC5B304C0052BB5FCC0050CFAD67C96092653EB7C42B9C2143320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890012Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:45.069{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3C9558040BACB78059B0A5DEDD5A9,SHA256=697FD620B7AB977B2505D5FD0F569E730AD524D586A81C005D30FABA7957F47D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026897Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.487{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7021-60FE-1C79-00000000E601}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026896Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026895Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026894Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026893Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026892Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026891Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026890Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026889Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026888Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026887Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7021-60FE-1C79-00000000E601}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026886Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.471{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7021-60FE-1C79-00000000E601}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026885Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.457{2E2BE06D-7021-60FE-1C79-00000000E601}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001026884Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.197{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026883Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8583423F0836751811AE483FE6DD036F,SHA256=89B3EDF11915C3212A367CD8440C9408056798F555F982450335A977FA4CF406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026882Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:45.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7BE8218BE918254F2AB5BFC2F570B4B,SHA256=2FF9A1CA300BBBD5A2D9BCE147F52B9428D0770AC6572377156C7EBB7A69DD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026928Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.909{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93DD2D320EC19B1186DD37B42DFE3C5,SHA256=E9F35D0B2010804538780132DCAC047E22384849114A7E16836F53853FE89BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890015Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:46.084{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3929816845403E9FC131E05EF16CB90,SHA256=2F7B81994032E359D9159273C688FEE676ACB1E78E3315FF5B955187CD1E4DCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026927Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7022-60FE-1E79-00000000E601}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026926Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026925Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026924Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026923Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026922Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026921Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026920Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026919Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026918Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026917Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7022-60FE-1E79-00000000E601}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026916Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.846{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7022-60FE-1E79-00000000E601}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026915Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.831{2E2BE06D-7022-60FE-1E79-00000000E601}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026914Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.472{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8583423F0836751811AE483FE6DD036F,SHA256=89B3EDF11915C3212A367CD8440C9408056798F555F982450335A977FA4CF406,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026913Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.393{2E2BE06D-7022-60FE-1D79-00000000E601}53526388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026912Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7022-60FE-1D79-00000000E601}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026911Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026910Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026909Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026908Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026907Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026906Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026905Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026904Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026903Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7022-60FE-1D79-00000000E601}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026902Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026901Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.159{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7022-60FE-1D79-00000000E601}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026900Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:46.144{2E2BE06D-7022-60FE-1D79-00000000E601}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890018Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:47.491{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544FFD3F38B24AABAF0D0F0B69C8B2B5,SHA256=B6968083F81C42AEFEFBB8CDD63FB85C2BC56E2E39A6AC0DECFC74089ED3D850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890017Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:47.491{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918C999A119CD9375116ECA9687EEC13,SHA256=71DCA314680BE4E50198DC9E026A6C4F6C6B2E1A30D98BB0641AA654816E6F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890016Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:47.085{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010AF8DE11CDC286D84DA06B4518CECC,SHA256=2ECD11D53399DA763DF15921501DCDAFA0F1FBD6A1637F9E97CEDEA00431B3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026943Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.846{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C08AF71654D8A420C64328B8E87FC1,SHA256=F3C9B522F75F69A3762A03B98ACFEF576A180950E571D29E3459336BCE457328,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026942Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7023-60FE-1F79-00000000E601}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026941Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026940Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026939Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026938Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026937Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026936Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026935Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026934Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026933Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026932Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.534{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7023-60FE-1F79-00000000E601}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026931Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.518{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7023-60FE-1F79-00000000E601}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026930Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.519{2E2BE06D-7023-60FE-1F79-00000000E601}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001026929Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:47.049{2E2BE06D-7022-60FE-1E79-00000000E601}65084988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000890020Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:38.462{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse136.243.129.221static.221.129.243.136.clients.your-server.de59580-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890019Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:48.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED8E9A6A1497C6662C8EEDE65A1C15F,SHA256=565F1B7285C9FDB98A887753B8AA1D27ABBBBA5D3556E75D5AA0B44E1571BC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026944Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:48.065{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045B4012C18F4A6EB22BE151CC826152,SHA256=87D23A042A181C4ECC7336E54F5D5A9AA9DC866604FDA045B4EDC524B08336A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890021Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:49.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645D785D2E87767F6A5AB264BB4609C8,SHA256=1F1F47A7A5FF7D2A6EEF96197A89B20924E4E0868385F7FDF8D9F7F2A3333BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026945Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:49.080{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89140B167535F8028336A0C8D1E3A970,SHA256=56BC2216983F8EC7D54CADC668E6F09597D98BF2182C6BAA820DDBF5CFBFE122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890023Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:50.116{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159C225A43B72BB72E5EF6AE2C50DFE,SHA256=F0433991554EA39D03F336F7719DD4002CC3F5259309508202EC6728183F5074,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026950Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:50.666{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59180-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001026949Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:50.666{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59180-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001026948Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:50.337{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026947Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:50.612{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55E9B940A5B9EB13AC5749F3D6FC3E3E,SHA256=2E8666C55F69B0F86DF3E1B990CEF512C4A47CE869E80E9DCEC580201E2705D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026946Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:50.081{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19771D140215325530F1DF6E004AD55,SHA256=F9A6488AB6F8F88C08F5733EAFB5D3C7A16BB2A3E0F0C1BF6AEBB30B417395B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890022Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:50.006{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001026964Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7027-60FE-2079-00000000E601}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026963Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026962Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026961Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026960Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026959Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026958Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026957Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026956Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026955Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026954Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7027-60FE-2079-00000000E601}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001026953Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.784{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7027-60FE-2079-00000000E601}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001026952Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.770{2E2BE06D-7027-60FE-2079-00000000E601}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001026951Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:51.096{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6707F85690B29A7C910A8C50839E74C4,SHA256=BEE1B12B1680361F5144A6FAFBED1C648E2AF8D010F32E0C9C805DC5697623C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890026Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:42.265{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52492-false10.0.1.12-8000- 354300x8000000000000000890025Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:42.030{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52491-false10.0.1.12-8089- 23542300x8000000000000000890024Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:51.131{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE114A00244C58D19F566DCC07417B8,SHA256=72E29BB3E53F2BD334F73FD281B316CDC59676C2918B5B74C8A2AC056C5FD79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890027Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:52.147{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4809B434D6463213F34B085968D493A,SHA256=973BD577F4C4E5F95B6C292F5127AA227A02F13CA7221E071F63518369BDF112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026966Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:52.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A86BE6B5E66A739A7C29B7D270E52DE,SHA256=1D10DCB0A3C70DB8FBE242100BF64C32D4313C09DE6D4C831801A18AA6C81C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026965Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:52.112{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8507A1CDF20D9E065180F15C3A9E8DB9,SHA256=462C22E823FBDC1545374E5AA35A2B73DCFEF49565EF4FCA0110E8EF4ADA6172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890028Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:53.163{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E2BE12FAEE7F150588D31974284501,SHA256=5252E1F0A10F5E09D5FB8648EB63CA81588034165B53C2D5C95FF03F09B89C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026967Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:53.112{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44517C00D295FCDC013745F8A1F8F316,SHA256=3AC8CFA4EA786A0452C31D34A82E191227DB6BF033FAA539C6C8A85E349972BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890029Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:54.178{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D6EDB6FD723D47F59406379A3CEFDA,SHA256=7F0CBF158C475C1205C2781B0E3BD73C342EB253DB81DEB18656EBA59D28EB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026968Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:54.112{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6576EDE87967F217657BD54483B5F087,SHA256=57051D5C61594E592BF66D6D84F749F077C9B9502C2F4431B93CC7FCF56048B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026969Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:55.143{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D15EDEEFE1B984E89D8E49F686229A,SHA256=8887737255473C8ABE9CA5F64FD309441DC16778F4EB9942E985B35718B900B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890030Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:55.194{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9804BA21D03148453763DB13CB399446,SHA256=E81D21EE0A22FCF8964510032FBCC917B2B094D1759A93B457E4D99A9A393AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890031Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:56.209{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9CFD9733002388FE6BE849C29C16F1,SHA256=9A9521FF19BE7B0C217D3C5F792DA40D490FCA519C79C503D50346522FF38F9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026971Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:56.244{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026970Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:56.143{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015481FA3E1907F0F145C6404685541B,SHA256=65BBE1CC7E335BFB982CB0B62D09D18F80342066F5B54A027F3143C274196F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890032Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:57.225{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFCF4C3EC06992F69DC6B35D42BD2B3,SHA256=EC75F084B5ABA0B7AB7638687CCAA77D0C1D1D28661F752ECB8A48FF5F8BDF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026972Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:57.143{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFF14938FFC0E240304526257ECC538,SHA256=4B0B55CACDA244CB68C2626B7B019BB5E432A344FE17ACE9444AF670B7426B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890034Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:48.202{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52493-false10.0.1.12-8000- 23542300x8000000000000000890033Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:58.241{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5B10E0C3452AC5961A17E7CF7A7AF,SHA256=EAA4C5EAEAA2E286BEC3CC6667BB5EEDC8ACA4E44147086EECC786662167D28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026973Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:58.143{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A307F9CDE3432C30A5D9B6DB4F0FA,SHA256=8B220DE6AB81A79A0781815C60822EDD9DB888AAF65C5A1A797EFAAAB0298E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026974Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:19:59.174{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7626DF88721D5EAC19C2451446114B,SHA256=9D1B9735830F06DE453B2371469268D4942163FCE564466232FDD5CB0A59DA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890035Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:59.256{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABE63737F761161E471D240A24C6F44,SHA256=815EDC9BF8ED4B23F921BC5CC7E9B2E858275908EEA3EDEEFB52125BA060ECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026975Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:00.393{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C26E15C292569E3E1152459CB2BBC2C,SHA256=F75FBF1067A2719B56DD181690757E3718F6C2CE5971BA2A96661230CDB88958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890036Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:00.272{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009B205F49670E0D81390D32B193AA35,SHA256=760496C6785F5BAE37E7929ACF196F3AE322E82472EF5D712D9DE8BCF99DFB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026976Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:01.393{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D022F5A08516B7FD553E0ACB5DA0AAB1,SHA256=452924A91FD1D1EA688E6986A2B8C6F6519AE5FB03D5A0E2147F934135A95286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890037Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:01.288{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33FB76B0786F9225EC5EFDB8537803,SHA256=058465D0C273A572E30AA318FFEF63B867D74F5666F7CF5D3E140A527DC9DB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890038Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:02.303{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC1666C9DF07964D8FF12BB2F0D59AA,SHA256=5623965AB3B78CB712C9F3984AA1C5BAC3B034D976FCDB10C1C8CCA780008C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026978Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:02.408{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E7598B03A585505F38FE8FE47A27AD,SHA256=09959DF90133C2F2617AA6D1DFFEF9A45D22DC49C909AAD2E035DDF8EC1AB230,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026977Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:01.338{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000890040Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:54.139{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52494-false10.0.1.12-8000- 23542300x8000000000000000890039Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:03.319{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF9E0AE5B822631406F10ED12E5A517,SHA256=83E770B727C5117328AD208AB9E76BBE917C8B2626EA00DFFB47341B847B3587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026979Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:03.471{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29D60E9969E68C90107BE37495B414,SHA256=711D0160C1648E2C45A19F4B0717ED17C81A6D1F5367100C2655330D642C555A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026980Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:04.471{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA0EF79BB9C4490F2F7EE2E10CA1AFA,SHA256=84F22AE9B16522247A9604313CCFDDF83D8FE5F8F48945C1E2A9EF3A726D9B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890041Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:04.335{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26C7546A3808A72BC8F551F0759BB9,SHA256=F91128EA57AA54AB2634C7DFE199BBFD759506F30CEFD1CA49A9915B6FA49AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026981Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:05.502{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD8B2ED0C377F296D248D354BCBA12A,SHA256=2CBCC79B78B367C094CBB1588A468EAB0218FFDF32EC34B498D716EA8996472B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890042Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:05.381{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72694EF593177258D45F913957EC9D25,SHA256=D1FA2E3D6309A664DAA838072182E2F65D3B5D7D039E7D29DC248D890B22590A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026982Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:06.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA70EA24E792F5839727BC787E9FFCA,SHA256=29290C130E3829795DB5CB8D767D90FB844ED19171BD3ACA9360500166F798F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890043Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:06.413{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AC4CD468DCBC01C497F969344CE9B3,SHA256=3C33805BFB303259281D29FD26068C6203EA89C320E281BF194BF7603F31499C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890044Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:07.631{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009587EEECC65792F2BA393EBEE66AD6,SHA256=DC2B28BAEC6AB65D8FFD601F0EA7533C95ED523AE78849396A47FB6398AED03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026983Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:07.533{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703F2F96454EA65EF163F622DE801FB6,SHA256=F5463EEE16281C649F765B3FC844883EE513EF34B9267ABFB2B8636EA633A19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890046Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:58.312{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1cf1:2a09:f5ff:fef0win-host-702546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000890045Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:08.694{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB307FB903FFA199FDD084177D9E9881,SHA256=A5FDF8AE8CD98C5FFDF38ED2329199FB45AB012F2C7D2744B2F9644D4EB59081,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026985Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:07.212{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026984Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:08.553{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9025D0BDFA97561B96A4256504053B0,SHA256=36B46773A565AC7B5E058FCF271907AFB2BA7B8837BB0456C09C57400F52EC35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890048Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:19:59.233{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52495-false10.0.1.12-8000- 23542300x8000000000000000890047Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:09.725{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6915F542CFBB579E9CE052021E83616A,SHA256=8D10734D3E795F048941ADFFEEC5A8BE83C80B1133987A604F25A1529B85BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026988Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:09.787{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D85D24E036BCCC28DE3BB71CC03D9E,SHA256=B3797803581DDD1AF7A2402B1E8C4C5C0D0E3EEF0E131F8690422CBF34E48842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026987Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:09.678{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4047903C81A1CA018C5E87146C21252,SHA256=5F7F426C26FEF50D49ABE14E507E5DF2B9F0AAA9CE45B92AD7D831E7020055D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026986Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:09.678{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D08C0D80098B38650F0B0F88BF707595,SHA256=2A1C2C28148BFEFAAD0E05B96492AB62E5B644206DC60BF3E75C01017F45F9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890049Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:10.959{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201537002D8AF497F17C519DB1D85F34,SHA256=1790076B3D2563866001436455992685EEFEC33BC0266BFFEED663456960E0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026990Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:10.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5341F472FEED351BF7EEAEA4B36BFEB,SHA256=883369F8081D21B9BD81B1BC921155CB12F41C2204B1D9BE05E08E5C6A14326B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026989Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:09.530{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.69unn-212-102-35-69.cdn77.com56803-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001026991Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:11.928{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F475559949BE93C5C832214DDEB989AA,SHA256=EA493798F716142F1EC8EFE7F76899682E31CCEDDCAFF1902C98886BFC2A8467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026993Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:12.943{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217530CA2BE2F7DFFC0D0A618A65C400,SHA256=3BF4E858E786D73B3509EF08D906DF3C3D159108BBFC468BC11E336DBB388718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890050Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:12.069{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05988D3D0C29854E10516D1B1DC7F72,SHA256=AF72CF989D995463B3DF8D21601BF8740C0E03424E7B96004B74E175D4B5B1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001026992Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:12.310{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890051Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:13.085{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C79A62C8B109D246EF234FC790F937,SHA256=53E4E6D43568BEE97A925116C27167B319038ECB3CDC2B0E8A8FC636C13716CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890052Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:14.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF4C6C6E34515729EA2E0633FC86AE2,SHA256=C30A793FB83DADF39B38661D9B6BD8CA86E15306DAD1C005C5149F93892B788A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026994Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:14.006{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BD1D328676203632289CA388B734C5,SHA256=C0DAD045B606614B2DFEE98BE75C021AAFF843C8C98A20DA6BB8D0AA33180407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890054Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:05.123{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52496-false10.0.1.12-8000- 23542300x8000000000000000890053Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:15.241{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8D1FC95883F532CCE6F6F30937D096,SHA256=9D5F50C9970160B6BE682A798968F54CD38285C16C38BA8CFD511477A58DE123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026995Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:15.022{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5FE7F6ED296CF7C2BC18C50D580265,SHA256=B74F8FCB9819D25C59A5F21CCEC9424E069857D7BEB8A96B0EDF70FD95DEE6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890055Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:16.288{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941674D690A333483E650D7D382C92F8,SHA256=EBB38FDFB29655E4401182CEA00021FE60EF5742B9601327AF29CEBA55869595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026996Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:16.022{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77E55E13F30B46A27262419684C4CC7,SHA256=1F64E1587D38E40BDF01A41BC13137CED0E38071AB478C57905706E20D30B6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890056Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:17.319{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7A58A389A9733B7CF6F91544BDE7CE,SHA256=3F19B542DF7FB715203360C67DB1ECAB64632350E3E925F588C11FF37FE99361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026998Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:17.834{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DFF6F4335E9C7C4570FA5116B4A060AE,SHA256=56EABDEB1EDF46AD529D62E46E49FCFAF23B645EC53493DCFE4BA90CFA3DFE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001026997Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:17.068{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68956E870C3C19F9A55D6B7AFD190AA,SHA256=4C5DDF9434BB55511A87B504CE0EDE8D0423C2AE80D41250540DC3A488BA9E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890057Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:18.319{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59480465017C6E659CFC99945295A662,SHA256=BC035BB00C106042BA5F8982B03158051CB9E1870A16D495A3973716C0E43FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027000Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:18.232{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001026999Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:18.084{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D7DBD46D9C7FD46AF2D5C125CBA1A9,SHA256=3C1B57491F122C181C13485000FDAD7B46C4B848A673DD55E78B12A9296FFEDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890061Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:09.480{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-50344-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890060Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:19.538{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F67B77B3F79B4F0D16AC798789EF3ED8,SHA256=13DD50B6BFB17EA237EA6A6B93484F9DF2620FEBABCE10D2C53BB633B6DFC95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890059Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:19.538{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544FFD3F38B24AABAF0D0F0B69C8B2B5,SHA256=B6968083F81C42AEFEFBB8CDD63FB85C2BC56E2E39A6AC0DECFC74089ED3D850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890058Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:19.506{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550502F2D4D0079A0DE7EED980596553,SHA256=26BECFC57A1C05728A6BD522132DFAE4913A613C8A7594ECE1303E3EE3E08A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027001Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:19.147{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC92B703B0501823C1A91BE2351E3A2,SHA256=3CA91842AB311282DE45B57CA743199390B1C0517FD324FE1A592BC5408ED3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890062Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:20.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C456A0E3E3CA62F561DB6E70FC5CEB2,SHA256=9E61D12F9CF688F857B546C89D575FBF94D7C73B520D0B04E3AAA3D2E5F47CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027002Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:20.162{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097DB61EF5E634849BA3D777C08F6469,SHA256=A156D5AD1E27247B819C63C610FEA9490CE347E38276082B7EA211393598D371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890064Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:11.092{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52497-false10.0.1.12-8000- 23542300x8000000000000000890063Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:21.569{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087F8C0A3D4DBE722E2429F6293671AC,SHA256=AE22A9D30A6B70D56AEFC2431A68AAC64C26826476D67E8030A5958914802014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027003Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:21.193{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77400CA8EB2D1C839D83482EF750FAFE,SHA256=5091FD78C575DFD6F406E15A89D6B8F3F1D65B70C0E86D92AC66218DB6E21185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890067Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:12.367{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net65307-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890066Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:22.569{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E229D3C14229C28C8B7D7816D0DAC86,SHA256=A629E09556601A312307E53AA57F1CFA352364EAB3B3B2041C335E6E68261F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027004Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:22.209{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ED0CFE001AB468EBACF4C1F4083545,SHA256=4836CBF686C1DF6A1CDA77F91970E124716A345A52ED7771B1E71BFD137BA68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890065Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:22.444{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F67B77B3F79B4F0D16AC798789EF3ED8,SHA256=13DD50B6BFB17EA237EA6A6B93484F9DF2620FEBABCE10D2C53BB633B6DFC95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890069Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:13.263{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net57750-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890068Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:23.585{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7186374266886A49BCC75F1F619E95,SHA256=8A0FDD9DE40AEA7CFC44BB909E3503DD2E75FC10A0BDA0364CEF808D23CC5880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027005Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:23.209{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6054447E37B4C6A7E4FC615C228EB64,SHA256=C3B3B2279F083747116AC9793CE44B35ABC3ADAE97FFBFAFD4A817626977297F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890070Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:24.600{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6226133D08A3ED80DC21C9E00D9FED89,SHA256=35406B79A7A784FCC4D0D3EEAA721250F8E238606E08A6354E818DE3C21A2FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027008Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:24.928{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027007Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:24.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B686ED16F87B1711BC1D8FB5187CD1,SHA256=CD049CE522BAB4572914A8CBFA8613E7A84C442D5D8027C703931F240D9B55CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027006Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:23.341{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890071Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:25.616{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5808C4A20FD43EC03A112C04BD30B14,SHA256=93C8A639E5858EFFAEC6764BB777C4E6E524795DBC5FE8D94D545AC10F7456B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027009Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:25.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0560A4C76EE38325BB8F4281800AF94,SHA256=A2F9632B403767B02987CA9F40DA06278E8A270F3A1F6793B6DDA6D0FCC1DD2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890073Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:16.201{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52498-false10.0.1.12-8000- 23542300x8000000000000000890072Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:26.616{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141A3FF5AD84CD62140216B0484B53A5,SHA256=BA59F1127CED3F09076639A9C75968F86D0B243769B1D2B3DA1F35AB4DA86BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027011Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:26.044{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001027010Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:26.303{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51241022E26F9582937F027CA487AD8D,SHA256=790B02563EB3A26BC933DFEA76714EA59F45FD09219CB826928F1FEFF36FF889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890087Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.897{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-704B-60FE-9278-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890086Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890085Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890084Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890083Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890082Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890081Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890080Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890079Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890078Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890077Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-704B-60FE-9278-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890076Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.881{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-704B-60FE-9278-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890075Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.882{D94AFF6C-704B-60FE-9278-00000000E701}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890074Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:27.631{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA660CB899168872EAD1C8D8F4901CA,SHA256=87AD3C31DC3526DDD651E5C3D6F5E1F2EC1416298F3F6138B3986E5E68D2CF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027012Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:27.303{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDAB1BCDDF9570232892AED4F165514,SHA256=B9B72155BD892BB38D44B1EDF07A533BFB3DCE28242DFCE4DAB54898179E6F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027013Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:28.303{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7E3266F9C962DACC337A84CEFF991F,SHA256=C10237A265E8D448F49F590B1E8687E5F1A39AF8C318A6E88EE0B9FB7EAA8B49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890103Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.569{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-704C-60FE-9378-00000000E701}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890102Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890101Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890100Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890099Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890098Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890097Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890096Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890095Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890094Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890093Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-704C-60FE-9378-00000000E701}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890092Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-704C-60FE-9378-00000000E701}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890091Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.554{D94AFF6C-704C-60FE-9378-00000000E701}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890090Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1403989C9C0E317A2F2C7E66352D74AC,SHA256=7FECBE2755D05E849D325FED879E82929B6BA19CEFA3D7CFFE20BB5BBEA65D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890089Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60882DA6D8A405FC54574B862FCA1AD9,SHA256=9307CDE6D6F14FF3FB48A34172D47BF0F5C890CA106EBAA822075C1D80179776,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890088Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:18.682{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net63224-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001027014Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:29.522{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7175A7CB4897AA824A856B4A6AC9F6A2,SHA256=02FD3AD41A72316C64F5CA822AF89F1508FBBB11841F2C3DC26212063D9E0D7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890131Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.913{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-704D-60FE-9578-00000000E701}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890130Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890129Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890128Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890127Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890126Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890125Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890124Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890123Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890122Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890121Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-704D-60FE-9578-00000000E701}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890120Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.897{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-704D-60FE-9578-00000000E701}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890119Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.898{D94AFF6C-704D-60FE-9578-00000000E701}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890118Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.600{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1403989C9C0E317A2F2C7E66352D74AC,SHA256=7FECBE2755D05E849D325FED879E82929B6BA19CEFA3D7CFFE20BB5BBEA65D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890117Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.241{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-704D-60FE-9478-00000000E701}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890116Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890115Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890114Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890113Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890112Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890111Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890110Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890109Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890108Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890107Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-704D-60FE-9478-00000000E701}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890106Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.225{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-704D-60FE-9478-00000000E701}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890105Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.226{D94AFF6C-704D-60FE-9478-00000000E701}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890104Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:29.022{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140867EA5B4785BBECA5851B5E4C72B4,SHA256=319C3A7DBD7AAF2B1C77DA4F020A30E717E0848A0C9E2469CA1FEE3C4255FCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027016Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:30.522{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3322DB8F606FCFC4E9151EDFB7CFA5,SHA256=EE9B16C3F75B67B178A484D916AF83FD47E9B85E05C3100FDD4EA1111C6F0AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890134Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:30.928{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20C27D8C35E1EF0FC0BFC163D255E889,SHA256=0307204356A13CA3544E5122A5A910E7BE45EA5DA32278CC60341ACC7CBC6FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890133Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:30.272{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F50E987CCD6A814F3E4B142E75EE779,SHA256=5434518D76791E8B75967A92EDC2D224A07A1D1B2604B556B62564482B587FE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027015Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:29.216{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000890132Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:30.022{D94AFF6C-704D-60FE-9578-00000000E701}3920832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027017Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:31.615{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA885B17F4A9CA019AAD740A0F0528A0,SHA256=1308C37D4CF144D69E7DE97431AFDB0145AB4B511A503D54953C7FD52525915C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890135Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:31.303{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2235BFAA359BF4CA56DDE7DF0852F07A,SHA256=917CA9445B7941224ACD29AACD1DE37C1C153BB434BDED6CD4EB0A79C7733EBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027021Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:31.813{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com3159-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027020Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:32.850{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C50F40C8D368BBE8102C3E449B48C3,SHA256=07EDB4E460E41D3B5F98469A3837C7AA125A4AFDC4C8A567FEB24A7F9B5BB364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890137Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:32.397{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E49AFBFA70AFE46CAD7857CE2E92D5,SHA256=5BDEF83594397C80D03CB6314D1B5670ADDBCFE99487EE610834E84C8F3F2383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027019Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:32.006{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959555DE6EC6AA8D26E273FC5C5E6D99,SHA256=03CC273C2FF10A8255E96D8B41E241E77A1DF93AD36AD7CDE0CA153E1509EEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027018Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:32.006{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4047903C81A1CA018C5E87146C21252,SHA256=5F7F426C26FEF50D49ABE14E507E5DF2B9F0AAA9CE45B92AD7D831E7020055D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890136Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:22.170{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52499-false10.0.1.12-8000- 23542300x80000000000000001027022Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:33.865{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414006F11A8E4F4D973228FD32809C65,SHA256=BE116DD9A3470C3DB5EB864658CDA502A927749D28B05407D1D8803CDF78E06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890138Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:33.460{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D54B5E8F28E40850F684B5770D4147,SHA256=89E9B4469F71469BB0786805A1B1BD0F7A798D8DDBC72AF268FFCF9C11EA6FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027023Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:34.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D6B2F5D43DCB9D3587C29F27FD89EB,SHA256=7AA247C9176D7333083F4C4CD9F12878F03C00257F6E26D9340A0A0923FB4487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890139Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:34.491{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B4D9A00B9E86A6D7370C538869B2E5,SHA256=2DDD536B2AC760109FA6CC32D70A1F45A0A0FD8ABE3E4640DCA270FB342986E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027024Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:35.912{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C95E9AF5833F97A9C4A8FFFDA8818CB,SHA256=2B619F7922EDD7BDFE4E9B25CA441B71DD0906E572A16A416641B68BE9748B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890154Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.772{D94AFF6C-7053-60FE-9678-00000000E701}3964644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890153Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.663{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7053-60FE-9678-00000000E701}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890152Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890151Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890150Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890149Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890148Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890147Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890146Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890145Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890144Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890143Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7053-60FE-9678-00000000E701}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890142Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.647{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7053-60FE-9678-00000000E701}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890141Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.648{D94AFF6C-7053-60FE-9678-00000000E701}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890140Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.522{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004C67E9ECB0B8B63544DCBE439E566D,SHA256=10FB93ED700C91D45EA27616F20A95D3A09D3DFE672606890CE1CBB11AA9B796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027026Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:36.912{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60C982C91C14A752C843F95A7E0C251,SHA256=242A7CE3CA4C05233D5EAFAADB2E90ADA8EB47DD121AAFDD03DB00504E69C90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890157Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:36.741{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9B8FB256ED4DB8E9BC58A82397F192,SHA256=F6D7966E17442C5186DC2531A3EEB3F0CA114453EB9B06C6C87F7D206DE96839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890156Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:36.741{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEE0DED80F4D6648A2F68F2B14DC5B7,SHA256=90E259859AD874F81FF62E6F784BAB96E1E8960C8B7A72AB8AF853A3BDDE9B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890155Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:36.741{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CFFA5EE13729A67B7613772193B0B13,SHA256=A4972F506D8885E1718B092F11089488A5339A270B58BD8E026E26FB8C3445FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027025Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:34.341{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027027Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:37.912{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA56E200FF862835027A4678DDAB0F7,SHA256=18444611CCDEC3015692BB9F4964EDFB75C001007BAC3138F7DBA70B53DFF722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890158Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:37.756{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784CD864A36F62960AE4E6A3015EF851,SHA256=51B245CF4CCE0F2C4569FFDB116DA0B6BCA9868058AC75BA8A20D2EA216E3DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027028Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:38.928{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB09C613535D533EF1FCBBC065F32DC,SHA256=D9D61E04EA15B91B0892DF6DB024A2F4CB2066F764E945F14BB9C72B327F2A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890160Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:38.772{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DBCE4EFE2294AF2A68E282C6A5DB2F,SHA256=5454E17C1E94CC1F7EEEF69BF9E3EA866DFAF4D505BFF157F2ACAAE05C787E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890159Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:28.091{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52500-false10.0.1.12-8000- 23542300x80000000000000001027029Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:39.943{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE93B3BFABD59FF70B9F9668F103BD50,SHA256=420192734B3A3A361DBBC0D7A2779196B15B1EE1DDEE48F93394EECDCBF3AF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890175Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.788{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF72E8A330131F4E43CDDF5396425C6,SHA256=A35E07306037183835DBDB67093B34653B1052C36F7B540BA2481B68631CB366,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890174Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.788{D94AFF6C-7057-60FE-9778-00000000E701}19163684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890173Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.663{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7057-60FE-9778-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890172Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890171Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890170Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890169Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890168Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890167Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890166Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890165Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890164Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890163Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7057-60FE-9778-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890162Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.647{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7057-60FE-9778-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890161Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.648{D94AFF6C-7057-60FE-9778-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027031Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:40.959{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366F853A00F055F4FFE7F52E06956052,SHA256=F5776803661AF71AB994C06095C390A777E5F4466A2A3985B0C3332120EA811A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890191Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.789{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3944C59D74D9AF7EFCA96EC8E33E837,SHA256=12E1D32A922B731779D311CF1B90981FCC2A9548A8CB10082ED595C01B864949,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027030Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:40.263{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890190Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.664{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEE0DED80F4D6648A2F68F2B14DC5B7,SHA256=90E259859AD874F81FF62E6F784BAB96E1E8960C8B7A72AB8AF853A3BDDE9B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890189Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.445{D94AFF6C-7058-60FE-9878-00000000E701}38763700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890188Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.336{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7058-60FE-9878-00000000E701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890187Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.336{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890186Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.336{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890185Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890184Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890183Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890182Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890181Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890180Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890179Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890178Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7058-60FE-9878-00000000E701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890177Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.320{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7058-60FE-9878-00000000E701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890176Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:40.321{D94AFF6C-7058-60FE-9878-00000000E701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027032Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:41.959{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885C299E38E7C6C7AC6EF15EF8AFC3E1,SHA256=3A66212F43638952597E5114AF3309270F0CCC64BA91F7563D63993FEB2F5E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890192Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:41.801{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4447F0C898B4132DB90FD244C283AD8A,SHA256=F365C3D450541C2236E654CBC19FC7EEEAEBE10BC025AF2C7EC528D15B8EDBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027033Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:42.975{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA85339667AA6FE6B6EAC2EB32D50175,SHA256=57F88CAFE9EA5E259374511044BE6CD3DF7781278748760675CECAA844D649FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890194Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:42.802{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B079132656F42948CBAD4DD2A1EB7125,SHA256=6EB06F2A518DD0D4D07A584C943D3920ED7C8CAA365853457387324364146DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890193Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:42.771{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C9386055BB5A9E141E4E1C524D00C1,SHA256=3EE5EDB00484ED873F814F7BAB0FD238BDFE2DB618F04479E20BBD3F003E6A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890197Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:43.818{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D578BC789955FCE168D13E54C51537,SHA256=19C9D5B07A6BED7E7EBDDD9C5804A84C9B6657D74CF4B15D52BE05A2F91535AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890196Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:33.533{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-54956-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890195Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:33.198{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52501-false10.0.1.12-8000- 23542300x8000000000000000890198Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:44.818{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8CCD991D765789B33E64C5E1A4F5F3,SHA256=D0120DE2C2CC0408A7B6982F02E6B1C4F0FD78945268AEED61375D02A44A0209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027061Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705C-60FE-2279-00000000E601}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027060Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027059Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027058Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027057Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027056Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027055Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027054Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027053Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027052Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027051Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-705C-60FE-2279-00000000E601}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027050Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.881{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705C-60FE-2279-00000000E601}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027049Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.850{2E2BE06D-705C-60FE-2279-00000000E601}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001027048Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.428{2E2BE06D-705C-60FE-2179-00000000E601}58486028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027047Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705C-60FE-2179-00000000E601}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027046Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027045Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027044Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027043Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027042Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027041Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027040Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027039Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027038Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027037Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-705C-60FE-2179-00000000E601}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027036Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.178{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705C-60FE-2179-00000000E601}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027035Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.163{2E2BE06D-705C-60FE-2179-00000000E601}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027034Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:44.022{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F37ACA1CE8C662CCF76A55B19D82378,SHA256=2FB84C81EBEF426268D41F16B0DC07A1C04BBF8C2466ED60FB7768D2D3B8119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890201Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:45.834{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69B9F85B020D66CA056B7E81DF23EE3,SHA256=A19BB12A40B161837854A7C1614D12E95CEF3DFA79C7B72D56F113C384039D09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027078Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.740{2E2BE06D-705D-60FE-2379-00000000E601}52725060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027077Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705D-60FE-2379-00000000E601}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027076Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027075Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027074Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027073Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027072Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027071Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027070Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027069Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027068Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027067Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-705D-60FE-2379-00000000E601}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027066Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.568{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705D-60FE-2379-00000000E601}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027065Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.553{2E2BE06D-705D-60FE-2379-00000000E601}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027064Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.350{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=707AAE3317E55F86CF23BE52B43BC97C,SHA256=62CD25110991D8F3FCEA055C8DE5509DFB877D52BB8804F0D16E41C544D65AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027063Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.350{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959555DE6EC6AA8D26E273FC5C5E6D99,SHA256=03CC273C2FF10A8255E96D8B41E241E77A1DF93AD36AD7CDE0CA153E1509EEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027062Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:45.350{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38C206AE7A1F6E132E9C51AB2184EA3,SHA256=1B8B1DD53D8C0A7C1C6464615E058B504EAA8B7714253D9BCF48123DA5C2C35F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890200Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:35.965{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-16327-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890199Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:45.318{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=698248B6132034E9CFD83CD534B1C489,SHA256=DDC63C18D8B2B5BC4E7812E3FC3645CC6BDD7EC223274A04E817FB03A581C58D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027108Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705E-60FE-2579-00000000E601}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027107Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027106Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027105Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027104Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027103Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027102Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027101Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027100Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027099Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027098Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.943{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-705E-60FE-2579-00000000E601}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027097Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.928{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705E-60FE-2579-00000000E601}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027096Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.928{2E2BE06D-705E-60FE-2579-00000000E601}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001027095Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.185{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027094Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.553{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=707AAE3317E55F86CF23BE52B43BC97C,SHA256=62CD25110991D8F3FCEA055C8DE5509DFB877D52BB8804F0D16E41C544D65AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027093Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.490{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB67A6103F1C5AE3413A53341D69A45,SHA256=83118F61F0A5D6F57EDB74A2680D090F71DD7CFF1B83C46D21E3D10AF88DEAF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027092Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.475{2E2BE06D-705E-60FE-2479-00000000E601}6708296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890203Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:46.834{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24543B53C094DBD66DD3EA7F314348B9,SHA256=3CA660F227105BC2744EB0BC19E2C8FA27EB796773577D9FF646FB58A109F3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890202Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:46.021{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FEA5CC27B666B48D314F9B66326B6DD,SHA256=6E055622B55F0357E3EBE1B0B4C8247C3671BF257CBFE81C8EAC134268F7F7BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027091Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705E-60FE-2479-00000000E601}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027090Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027089Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027088Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027087Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027086Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027085Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027084Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027083Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027082Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027081Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-705E-60FE-2479-00000000E601}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027080Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.256{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705E-60FE-2479-00000000E601}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027079Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:46.241{2E2BE06D-705E-60FE-2479-00000000E601}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001027122Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.818{2E2BE06D-705F-60FE-2679-00000000E601}68005360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890204Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:47.849{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE31711055846A86CA3C0DFA0A702B0B,SHA256=DF36E70632C98EFA31364ECC138450AFF4B508531C1D66E1DD6848D45D1601D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027121Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-705F-60FE-2679-00000000E601}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027120Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027119Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027118Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027117Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027116Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027115Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027114Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027113Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027112Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027111Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-705F-60FE-2679-00000000E601}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027110Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.631{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-705F-60FE-2679-00000000E601}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027109Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:47.616{2E2BE06D-705F-60FE-2679-00000000E601}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890205Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:48.849{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43B502884063BE1709AA41665BB7953,SHA256=9A429CDC15FBAB6761F07736D6C60EE276E642DA8C9C2742837E247B78998A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027125Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:48.881{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540C25DF24A39341E97D3B67805C4542,SHA256=77F9E97AB41D6E2E461A9E4EDB4A9D60F85E26DE342302706A087728A17E2147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027124Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:48.225{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D98FA9C8BFD9D867910C41AB9EFB6C8,SHA256=492FC2301744BFFF226A089C80224E0C2F10200572EB1E0242F438468820FB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027123Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:48.225{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E01B14D414BFFBA30C39CBC1B1D0B1C,SHA256=6D5349D34F99CEE2F4433F3A96D98B7BDD8D98EBB84B30C70DC1B2AE35FD1519,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890207Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:39.074{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52502-false10.0.1.12-8000- 23542300x8000000000000000890206Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:49.865{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510CA0898AAC556574984EC75BCE3B68,SHA256=56B56BB2FC878D7E94287E1F1C1F26DB170D0637CCA2EF4BDB74D1BF939338C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027126Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:49.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A4001ED1E7BCE65AC5917E3C189CB8,SHA256=8B1C91F26987B68B9CFAAB74A7F64968222924AA8FB153CC49FFD45CCBB6B03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890209Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:50.880{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BED81C325B88D7290ED09AD424F7D52,SHA256=511A7CBB44B79054A1CF53B30C9918D30B835B3CB35E20E68E8A78410F19F9E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027130Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:50.670{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59192-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027129Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:50.670{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59192-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001027128Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:50.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659EAA9CD3161CB8C24A6A6327BE94EC,SHA256=38FAB12EC193A0E055938A1C340DCA7070DCD5889552D6827D333AB2DBA8E881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890208Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:50.037{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027127Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:50.568{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8E0CD46092F7EBC405DF9E841BB1F9,SHA256=859F029EC520C3B3E6E1F68122495347CFDE088E530D2F913D6CC9C33A5AFDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890210Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:51.896{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F57F5355947CC91A70571857B99B45,SHA256=FE342848A87BAB490424FF915A7753C1D8E7F389EEAB65B6CD3C0D94552322F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027145Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.294{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027144Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.928{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478E9C9517B071A376D5CA66A6CEF555,SHA256=847BD428B0B2C2A4D4875D6375F1C3D747E62E4A541901D4B6F611B533DC8D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027143Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7063-60FE-2779-00000000E601}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027142Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027141Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027140Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027139Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027138Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027137Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027136Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027135Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027134Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7063-60FE-2779-00000000E601}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027133Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027132Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.803{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7063-60FE-2779-00000000E601}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027131Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:51.788{2E2BE06D-7063-60FE-2779-00000000E601}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890212Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:52.896{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF00C039EE9B89D513869C5F80E978,SHA256=3F5871751EB4B1295B7FBFE241A0DD03B1DD0525E011E45A04ECF02E89BD256F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027147Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:52.943{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72438316E6C95B540A55E009A238BFE9,SHA256=E2908BE29A3DF949C71EF5ADC783A6B754C13D048EE8202B64C926643492BFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890211Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:42.058{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52503-false10.0.1.12-8089- 23542300x80000000000000001027146Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:52.787{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B59304B0AF8400DBC84554804F21996,SHA256=5857B1F480C1057DD56903BD760CD19621C71C736C1CB10310875486030B222D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890213Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:53.912{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A8C04E952ECFB2238DFD2894084DDA,SHA256=B43BBE10E681E377B91CD5EF8E720F938C5F55A424D3180FEA5D43C7B6362CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027148Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:53.943{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7860E7DEEF537393CC818F756EACD2C8,SHA256=239DF9A6475BCF2BF62C75ABCCA295CB894DCF8C7468199DD5A8ADBFB3B74985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890214Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:54.927{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FC8A52CED5F426C8E1662F701255E5,SHA256=F30B427F42A4E19A6B7550E1CB722EE5AE1EEF5111160F6441367A6D691EDAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027149Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:54.959{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046C43E18154FADF1A3E013B4F2AC883,SHA256=3658927BA52A8EF83DBE980BF742698553015006ED50B334470E749375B0E16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890216Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:55.943{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249BFF24C6E26CA2C9A8030DDAC63CA8,SHA256=336EB8908EF3C81EB2DBD150A3023C73991ABA461F51D2621F7456A1ECDA5141,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890215Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:44.246{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52504-false10.0.1.12-8000- 23542300x8000000000000000890217Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:56.943{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E5FED5DC6ECEB4ED89E091CF21A473,SHA256=4B14D1896F3882CCD18ED56BD72B3229427EDB2A2B050E46D0CB6E09FA989871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027152Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:56.162{2E2BE06D-6DD8-60FA-1000-00000000E601}3841632C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027151Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:56.162{2E2BE06D-6DD8-60FA-1000-00000000E601}3841632C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027150Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:56.037{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF552F857642B96106443E221B75F8FF,SHA256=359BDB243180ECB44DF6CF101D03988B61EF63FF58E113C7F8C290DB8AF192C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890218Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.959{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB045F353033907C3D7EFD4E7C77C3AB,SHA256=1AF1070CE8F13B9CA516074AC3DFA3B9AC0F7BE5A6BD9D9B453754B1B151B8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027167Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:57.248{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local59194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001027166Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:57.241{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366964C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001027165Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001027164Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001027163Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001027162Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\LeaseTerminatesTimeDWORD (0x60fe7e79) 13241300x80000000000000001027161Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\T2DWORD (0x60fe7cb7) 13241300x80000000000000001027160Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\T1DWORD (0x60fe7771) 13241300x80000000000000001027159Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\LeaseObtainedTimeDWORD (0x60fe7069) 13241300x80000000000000001027158Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\LeaseDWORD (0x00000e10) 13241300x80000000000000001027157Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\DhcpServer10.0.1.1 13241300x80000000000000001027156Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001027155Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\DhcpIPAddress10.0.1.14 13241300x80000000000000001027154Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:57.115{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12224b8f-a778-4a84-8f7b-f4687e5421a8}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001027153Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:57.037{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27058111A29D51B9F53898AE902A8E5,SHA256=FA522ACA4DC77C5740AC5C7FCB5467385534BF4B9BC4454F9FC81417EA5D8292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890219Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:58.974{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1651EB92D9636D0DF24813310EA5C42,SHA256=8CA57CB51CB1E5BB1EC966DF517F0AF73BA968F164FBFA79C57A97D893451499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027170Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE6B2B5374062C5D35B9EFE9AFA7F50,SHA256=062521DAEAE7B64AA0E8B5F5BE26FA96632F43F540FCA0D6E778352795974944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027169Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=266576D414C0F0EAE089FA3C4401AD83,SHA256=7F3F47355CC521F9AFC8F9C68BF78D6916904F05AA11C8CC46A5C92D765840AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027168Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.068{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B40F391E5E823464AE4DCAF33879BA6,SHA256=254365928DCE61FF037B6B46BED6BB53C61E64141345E02E00255BA0140C214E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890220Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:59.974{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915327E025C3023BCF8BFF04231B10FD,SHA256=ECE9A84CF896BCA96E4BC6392EA4EB1A65A4CE9DC903D1E01176171D80E00388,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027224Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.375{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59195-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001027223Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.375{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local59195-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001027222Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.255{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c810:29f6:689:ffff-55573-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001027221Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.255{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local55573-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001027220Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.247{2E2BE06D-6DD8-60FA-1200-00000000E601}780C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-56.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001027219Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.138{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-56.attackrange.local61638-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001027218Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.138{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local64796- 354300x80000000000000001027217Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:58.138{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domain 10341000x80000000000000001027216Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027215Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027214Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027213Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027212Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027211Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027210Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027209Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027208Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027207Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027206Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027205Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027204Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027203Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027202Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027201Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027200Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027199Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027198Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027197Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027196Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027195Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027194Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027193Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027192Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027191Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027190Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027189Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027188Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027187Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027186Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.178{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001027185Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001027184Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001027183Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001027182Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\FlagsDWORD (0x00000002) 13241300x80000000000000001027181Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\TtlDWORD (0x000004b0) 13241300x80000000000000001027180Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\SentPriUpdateToIpBinary Data 13241300x80000000000000001027179Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\SentUpdateToIpBinary Data 13241300x80000000000000001027178Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\DnsServersBinary Data 13241300x80000000000000001027177Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\HostAddrsBinary Data 13241300x80000000000000001027176Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\PrimaryDomainNameattackrange.local 13241300x80000000000000001027175Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\AdapterDomainName(Empty) 13241300x80000000000000001027174Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\Hostnamewin-dc-56 10341000x80000000000000001027173Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.146{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366964C:\Windows\system32\lsass.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001027172Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:20:59.146{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12224B8F-A778-4A84-8F7B-F4687E5421A8}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001027171Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:20:59.115{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E533B4F9E4179465B484B0FD576E4E6,SHA256=907B21788A24E1BC014841F1F221DA346CC86CB8DFDDDB3D1DA47424D12BECAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890222Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:00.990{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137F49F836CE84DA3B9493A984117E89,SHA256=5A8CF33F166A5E0783027BA3A57F091E685EFB8B8016520F7BA334A33351A16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027226Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.381{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE6B2B5374062C5D35B9EFE9AFA7F50,SHA256=062521DAEAE7B64AA0E8B5F5BE26FA96632F43F540FCA0D6E778352795974944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027225Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.209{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BF99F5130FC358D238938755B17E18,SHA256=979138AF4C33773CAB68642145634AEA6AF468479CD0E03D010D946D14184B3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890221Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:50.152{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52505-false10.0.1.12-8000- 23542300x8000000000000000890223Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:01.990{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCD66537CD9955D1A18F6A80CB403D0,SHA256=385BC3724A934BC885B521C88EB71B87707F9C2AD6F403CE593FAC340CD9C112,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027235Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.287{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57360-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027234Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.287{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57360-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027233Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.286{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local56214- 354300x80000000000000001027232Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.285{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57359-false10.0.1.14win-dc-56.attackrange.local53domain 354300x80000000000000001027231Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.285{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-56.attackrange.local57359-false10.0.1.14win-dc-56.attackrange.local53domain 354300x80000000000000001027230Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.283{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local64796- 354300x80000000000000001027229Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.283{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-56.attackrange.local64796-false10.0.1.14win-dc-56.attackrange.local53domain 354300x80000000000000001027228Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.282{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local52299- 23542300x80000000000000001027227Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:01.225{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1DB59EB27ED820F203021EF9FBC77E,SHA256=E8617ECFD94B181AE7631361D3601FBB62BEF3BC60D3CF8EDE3D080CD838A516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027243Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.294{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local51379- 354300x80000000000000001027242Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.294{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local59570-false10.0.1.14win-dc-56.attackrange.local53domain 354300x80000000000000001027241Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.294{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local59570- 354300x80000000000000001027240Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.294{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c810:29f6:689:ffff-59570-truea00:10e:0:0:0:0:0:0win-dc-56.attackrange.local53domain 354300x80000000000000001027239Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.293{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local50728- 354300x80000000000000001027238Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.293{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local58411- 354300x80000000000000001027237Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:00.293{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local58411-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domain 23542300x80000000000000001027236Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:02.240{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A30BAE717B747627BAA20B2CE25C46,SHA256=5FAAFE6EC4390791EE479D491A467E20D45E09A6A90E37B1CB7DB64AD78CC2C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027248Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:03.185{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027247Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:03.240{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F718ECC47ED74E1220F5EF6AA4727E2B,SHA256=2F237B38135471F01B575D07A3FDFF1E91B852368AF681CE835D669EDACB5A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890224Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:03.005{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217ACAC7CD703EABCBA560E7D4A26A21,SHA256=C44AB4AFD06EFC533D772C23B00F616FB13C2B9A32B5C1B88ECB908CEA13E29C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001027246Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:03.131{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x80000000000000001027245Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:03.115{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Config SourceDWORD (0x00000001) 13241300x80000000000000001027244Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:03.115{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_FF0B1A08-CD41-4F90-8CA9-0CD1036C849E.XML 354300x80000000000000001027254Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.263{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57363-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001027253Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.263{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57363-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001027252Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.249{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57362-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001027251Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.249{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57362-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 23542300x80000000000000001027250Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.303{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9051A643B3B98DC4DF92986C6FA3BF,SHA256=10EE2D97385A903D8A9A327A7B08960751A97E0FE37CCBCFDE065D71DC0F4640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890225Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:04.021{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B839E77D55A72ACE429ED86DC238A0E,SHA256=BE4197BCB632099C8797DE3EACE5C2AF570E9BDFB0BA44BE968270EE8C2BFDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027249Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.131{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AC539948831C39563B8F564D8FF8353,SHA256=2D33B4422A7E5A5A62FAFFEBAA281094F06D8A8C36E03E614B6279BF79B049A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027257Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:05.303{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD45DA8F354DAEDC470AD3E0ADD20011,SHA256=E69A7B9C46F92B7C9B322408E9D7CFBD4B27078F5EAFA037566C83AE7A00A5DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890242Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890241Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890240Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-0B00-00000000E701}6322508C:\Windows\system32\lsass.exe{D94AFF6C-6DD8-60FA-0A00-00000000E701}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000890239Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000890238Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000890237Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000890236Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\LeaseTerminatesTimeDWORD (0x60fe7e81) 13241300x8000000000000000890235Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\T2DWORD (0x60fe7cbf) 13241300x8000000000000000890234Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\T1DWORD (0x60fe7779) 13241300x8000000000000000890233Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\LeaseObtainedTimeDWORD (0x60fe7071) 13241300x8000000000000000890232Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\LeaseDWORD (0x00000e10) 13241300x8000000000000000890231Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\DhcpServer10.0.1.1 13241300x8000000000000000890230Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000890229Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\DhcpIPAddress10.0.1.15 13241300x8000000000000000890228Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:05.584{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7ee57ae-31fe-4782-8cd8-f26d2791751a}\DhcpInterfaceOptionsBinary Data 354300x8000000000000000890227Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:55.230{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52506-false10.0.1.12-8000- 23542300x8000000000000000890226Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:05.021{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572ABC08BC9E89F0F38F0F276D917C86,SHA256=81F39FF29753969AF6C3BE8F2D78DCDF3C608835BFE08958CC259F043631F75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027256Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.270{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57364-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001027255Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:04.270{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57364-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001027258Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:06.318{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4657E8902C0A3B982743DB077E39E,SHA256=6BA40552F911EB522F174A6CA656B131E8E1E4781159B39D4FCC12501E461842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890245Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:06.599{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E9818F311E5C33F6E90B8E3A0DEA77FA,SHA256=444EE4FD71C8F9C3643055F8AE969124369368DB822412F116C8DB244DAC9616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890244Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:06.599{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=718C31ED7211B316F5C6406DEAEB24A6,SHA256=FAFAC7ED7580572EE31305DECCC14DFECBEA2C135E786998DD545933BC7F7B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890243Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:06.037{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0A307FC5CBB5649CA1E745E69BA47,SHA256=1D17986D03ADF154972B2069AC4EAE38F66DE4D409E77CA31A7672D46CC5D641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027259Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:07.320{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C6E80500932267462FC7127CFE4818,SHA256=38BC7E194ABBA94204CAAEA58BDDE3B40A4B050631B03CE9CFCC5B76CDA8C097,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890248Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.621{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 13241300x8000000000000000890247Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:07.397{D94AFF6C-6DD8-60FA-1500-00000000E701}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f7-0x2edecab6) 23542300x8000000000000000890246Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:07.038{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D304D68684B8458B69B03B064ECEF91,SHA256=939FBA450C725E8E85D6D15419935DDEDD8CF2AB4817A3B4FC041DE8949E2A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890253Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.715{D94AFF6C-6DD8-60FA-1700-00000000E701}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-702.eu-central-1.compute.internal61029-false10.0.1.14-53domain 354300x8000000000000000890252Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.714{D94AFF6C-6DD8-60FA-1700-00000000E701}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c810:666b:8b89:ffff-61029-truea00:10e:0:0:0:0:0:0-53domain 354300x8000000000000000890251Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.632{D94AFF6C-6DD8-60FA-1700-00000000E701}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c810:666b:8b89:ffff-62955-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000890250Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:20:57.632{D94AFF6C-6DD8-60FA-1700-00000000E701}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7d9e:68ad:2370:b7c0win-host-702.eu-central-1.compute.internal62955-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000890249Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:08.053{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B404D906021FEBE2618F7499AB9D840F,SHA256=D6D893DB727CEA766EE8397931A8C5E83A2015567EF9958EA9ED58D5980310F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027262Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:08.279{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001027261Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:06.811{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.15WIN-HOST-70261029- 23542300x80000000000000001027260Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:08.369{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8726973CD9429E13A80C1BE4A70C3843,SHA256=8FAD037983C15D12468CB1AC45E45BD77F72C25CD8BD531BFAC9512358271A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027264Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:09.435{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB8B8B68298D757201E0FCB06278657,SHA256=15A3ED43D24A1E08CD101351B5CF1564F904B1DABA392D3623AAE2DA17FFC60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890254Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:09.069{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700C0F8157704B48CFAAC0E7973DF3FE,SHA256=083427BE43C7DB942D3F0656D01A46C0750F4132CFB68FDA25FB1493D777C772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027263Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:09.056{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E686A51FA9DEF5EDCB56A47E1250534B,SHA256=293620365D5794ED88AD0ADF86A288892B99EF7EB35FF1D17BCB1F2EBBD949BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027265Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:10.560{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F595CDDE878F64EE43779C040726668,SHA256=5B20BDF320C96ABF889998413CBB366F1E5316917967C1B0CC59C112BF7DCAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890255Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:10.069{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97B926EFC6734FFC58377FE38884571,SHA256=8232CC5E5A5F83AAEF07571E5DDDC043E8219B1FD49ED88FFB2CBAE3D5985D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027266Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:11.591{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85120569B29AB9AB1B45EFD6F5B024C1,SHA256=2A2889B3180D1C24E535D9FF7E9B1D737A8DA2F73BF5F48C83D51CD3D5B8013D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890257Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:11.085{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C3C9D80FBFF84E6690BD34F0B08B47,SHA256=7E26F981F139BF076AE97DAD21B2CBE5CA15E2BEA72EBE358C033B47E89BD4AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890256Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:01.168{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52507-false10.0.1.12-8000- 23542300x80000000000000001027267Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:12.622{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56DA47A7CE0B69424257C75650C2C8C,SHA256=B12A53F0A951D44CAD06C44B06F200304C24D3E3439B1903D51F72C9250CDCD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890258Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:12.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7AF0D9BE62F87C8D9386E7E27EA63A,SHA256=C74C11810DBB2E16626ED15875C37341E74DC72ED2E8FC2790F17170B47F203D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027268Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:13.858{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90483C7C40FF6806ACB7E94309393F00,SHA256=8E1687776FC332F475B7726A6251FFB1533A9DAB453CB36D1D1E5DE317A00AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890259Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:13.116{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25E5AB973B07E5B4A4947C2E70B5A8,SHA256=277BE5612DED6DB35CD7ED0CBAFF94B066E9FD79F1F05DB4C3D66B9E7E529F4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027270Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:13.364{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027269Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:14.874{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73008A11DB5ABF1E876A2BC59E0039CA,SHA256=C54A695D2E0717D337437B1DE9363B42D5E0CB515A24903CCF96D15B9175D474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890260Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:14.194{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F226DB5ACA482A38B259FEDEE2F071DD,SHA256=AB190CDC25577F595FCDF6D7C3E0E187F75D33584B829BB04F2066ED2D636E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027271Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:15.905{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B5D02ADB5A54EB5B02C817FAE5568E,SHA256=E8F71891BE71E8CEC4E139CA5DDF14C7DBF3CD8238CB96C8B0E393EACA45E0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890261Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:15.428{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5639D6C514AB75206A54A88D355CEA,SHA256=5F9A5E5FB0B8288509E0CBBB425BD0DD49C1123A7C9542ADF3126502F2157655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890263Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:16.522{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1EA60974994AC17CBAEE0993C00D56,SHA256=25C92D483917A6D66EE70895C90B950C699EF3DA6144C09C65C211173020AEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027272Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:16.967{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE2A0776DD74CAB738E6CC16296E01,SHA256=81CC69EA802AC2BB15E2C0B8F42DAC83E85E95C3304BF54AA69EF66421BADF6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890262Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:06.293{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52508-false10.0.1.12-8000- 23542300x8000000000000000890264Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:17.756{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075014D92761FF0C3CD61C7084F84B6C,SHA256=52269395EC6EB81A45BF27AF34DEF2952DAC2C5248178E5554165A815E32EAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027275Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:17.983{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5575752A5D6E6919059EB0B2EA30E485,SHA256=EF53C8DBCAB10A24CEDC95C75528202B51F4C751050B5263F7FB73C7BEF53056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027274Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:17.842{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B6EED1D7345A5D4575CC7AF1D8989219,SHA256=6CC791F69182C75A5DBAD2866FFC30CF7D2DAE5210CDC1C90FFE9E38E9F0D7A9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001027273Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:17.577{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f7-0x34f01526) 23542300x8000000000000000890265Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:18.991{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9DB694CEF43B92C7514CA107F6D125,SHA256=B827D0611AE6ABC9D42494784AE2C9505A4A40BCA0A337FF907E0C6F5A15FBFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027277Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:18.693{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-56.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001027276Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:18.999{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA8A12082EBF8383E475F883081AF5,SHA256=CB073B2C8F5B4CD129024BBE4986A0D2B4947A7546FC7D37393D2866A3BB6020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027278Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:20.030{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE28F252BD826DD290269D62349BCF9,SHA256=9F262E420F0E279F67F333316961345FA134AEE597B2549BC5ED4B1E2359969D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890268Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:20.741{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=452F29E435CC897721284EB5A4462931,SHA256=B94025F3B33FD7210F25A27A002679D09F9FB1300DF752E60E27622F4441C3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890267Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:20.741{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21AF432CC98FADB85DD1F260EBC19399,SHA256=45D0FA12ED2BDEB212E89CB544D544C291DAEEC24A428D3B746C31ED1FB36770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890266Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:20.053{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C41DE0FE77C1A19823A24D8001E9080,SHA256=9C3A556509F71FB9A7939743B31101AB5B6C1EBB03D912428F2DA589830FAAFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890270Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:11.636{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-22522-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890269Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:21.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD01E6C43DFBD89E0F31E04CA59A1EDC,SHA256=894262AB9348C3CDA8F2EE6EF6E1568DF7F108622372392A59AF47C88C83499D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027280Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:19.334{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027279Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:21.030{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDC7FFA417F1E4BE037D6795BF02A4A,SHA256=E4115129281BB1F32F1D3B40A2B7D57AD9D99A2D4D61D4DA4782A8722444AB67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890274Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:12.271{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-25199-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890273Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:12.199{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52509-false10.0.1.12-8000- 23542300x8000000000000000890272Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:22.241{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=452F29E435CC897721284EB5A4462931,SHA256=B94025F3B33FD7210F25A27A002679D09F9FB1300DF752E60E27622F4441C3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890271Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:22.210{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A309ADAF93F2C9A831BB483F1C1086,SHA256=D1D6B7C21E924485ABFAAE58A2F648DEC81D2A02C6A40555C9157EEC7D09F188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027281Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:22.077{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F68CDBE67F3118B956B7995C1101BD,SHA256=A2D4665377474A9E248C94CD6E25DF46E63C2E72D8211D7BCA494F1E243E67D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890275Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:23.210{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CB40926858946A23105E9280A323D5,SHA256=751D9EB44488600ABD8768A9107561D0537F21E3818FA5B84AB0B292CDE0EB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027282Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:23.092{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75399730341CB988D864102CD286D39,SHA256=66F3CAD09B0CFAD41662B065C7170413ADC1B1D8A2877BD697E299FFBB9D6DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890276Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:24.225{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4C02F0B5B1DF7443A30A30644A4696,SHA256=6D6C19132B65DACEEF185A6AFBF45D40B5BB8D1686A4254D6487D90160274DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027284Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:24.952{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027283Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:24.108{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01A5E0E10954818B6DE86C71C9C39C3,SHA256=0499CF65F47D6B721C1AD5988E19AC03DF0D9789909308A0FE153DB335650231,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027286Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:25.303{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027285Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:25.280{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2516C92CC0E68B587D9BCB76FFD90CEF,SHA256=BCBFDB33F14F3AC77845AA80B2A03A71B3E0266E3C592E62512489485C2A55A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890277Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:25.241{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C795027B2E26B69BDAC6049973B3B25,SHA256=F525529628CAC362E189512B7F921EBE22467036987D2AAD26B99F556A98B37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890278Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:26.256{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7070D051F71CB3DE1CFE30660540F87C,SHA256=DFEE99170C62092C91DAAEC0914141D57FF4397D6641BE854463FE020F77E52A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027288Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:26.069{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001027287Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:26.295{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE14A9B33ADDC44AE5F6963FD77E2FD,SHA256=E41DF942E4E298251D4427B4489C369592E6AD77C040A058EDD7BFE32235D31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890303Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.913{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7087-60FE-9978-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890302Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890301Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890300Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890299Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890298Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890297Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890296Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890295Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890294Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890293Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7087-60FE-9978-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890292Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.897{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7087-60FE-9978-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890291Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.898{D94AFF6C-7087-60FE-9978-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000890290Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:18.152{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52510-false10.0.1.12-8000- 23542300x8000000000000000890289Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:27.272{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A142A4B957351FF20675DFFFEE5E2,SHA256=BF39E86F82CEECCB986B7B4104D9F7BB70352D3C8589EE44A12DE75BA37836A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027289Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:27.311{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA04C23255C106D6E73505B6BF236E72,SHA256=148C93F684C415129A6A0F4C8FC8B32C1C52441A1BFFBAB1519DD17D97842360,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000890288Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000890287Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0faa67b2) 13241300x8000000000000000890286Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0xd70a7514) 13241300x8000000000000000890285Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f7-0x38cedd14) 13241300x8000000000000000890284Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781ff-0x9a934514) 13241300x8000000000000000890283Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000890282Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0faa67b2) 13241300x8000000000000000890281Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0xd70a7514) 13241300x8000000000000000890280Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f7-0x38cedd14) 13241300x8000000000000000890279Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:21:27.163{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781ff-0x9a934514) 23542300x80000000000000001027290Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:28.327{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7770884791B1C290AED57FB8D3EC1AF,SHA256=FC5752715544CF19DDEE3C7379B147B31D06F13D8A39730973A5E25AAE8ECA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890319Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.913{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC5096B9483F2E8B59E7F11F123DB9C6,SHA256=994493F8DD2923F1BD0F79E16DE64C80EB1642855194861D58DC9D330BAAA975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890318Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.913{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F2359C82B4B65594AA3970A8F5FAE8D,SHA256=2E07E6E65D16F1322D484BFE01154D327264224FD7C74EC062C2047E9F4182C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890317Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.585{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7088-60FE-9A78-00000000E701}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890316Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890315Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890314Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890313Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890312Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890311Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890310Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890309Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890308Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890307Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7088-60FE-9A78-00000000E701}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890306Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.569{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7088-60FE-9A78-00000000E701}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890305Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.570{D94AFF6C-7088-60FE-9A78-00000000E701}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890304Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:28.288{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7744085BA3DBD95A66E4A5D009A149,SHA256=B16D9C554C7779988518B1346F687534075EE576704FFF7A9818017AD4367B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027291Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:29.327{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B86D7C32DCF84D7229AB5E5866A036,SHA256=A579B21964416C5DBD65852F0FC983778A819DE3FE93FBA930B3BB1848572088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890347Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.928{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7089-60FE-9C78-00000000E701}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890346Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890345Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890344Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890343Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890342Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890341Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890340Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890339Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890338Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890337Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7089-60FE-9C78-00000000E701}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890336Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7089-60FE-9C78-00000000E701}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890335Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.913{D94AFF6C-7089-60FE-9C78-00000000E701}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000890334Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.366{D94AFF6C-7089-60FE-9B78-00000000E701}15963576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890333Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.319{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003BB6408F588698BAEB0A8A9B0EC9CE,SHA256=906402C5EBD5F7AF99E1708F07FA926BE2F3A1686BA7F61371FCCCA6EC2AC77A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890332Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.256{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7089-60FE-9B78-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890331Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890330Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890329Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890328Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890327Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890326Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890325Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890324Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890323Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890322Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7089-60FE-9B78-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890321Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.241{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7089-60FE-9B78-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890320Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.242{D94AFF6C-7089-60FE-9B78-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027292Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:30.327{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA23C27E4D2148B4FA3B3A61A4ED170,SHA256=143CB5AC4FFA0CEA262BA9DD8D5E6815524EB7B091DA4DD07D45608DE52A87D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890349Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:30.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD13BABD05D7A4C7EE20E03CFFCC770,SHA256=FEDB297F50B3291B5FAC297BDB3416F7DA263612332B8863E7C8752AE5B3B555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890348Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:30.319{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC5096B9483F2E8B59E7F11F123DB9C6,SHA256=994493F8DD2923F1BD0F79E16DE64C80EB1642855194861D58DC9D330BAAA975,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027294Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:31.256{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027293Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:31.467{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280000DF80D758E18DDF72D764F1735E,SHA256=748290BBC92F874F1945C77BA74B235A884994D028E90FD50D2A6BCF3638B5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890350Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:31.600{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7345FF145EEC2485CD39BA6838EFE7B0,SHA256=25C213CAFBB5E06D26475647E7B2F090FBA4459A61F906EFB719D1A20C868E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890351Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:32.616{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACD00F734DC4EB0253E98A25CED3798,SHA256=CD03BB689044DF7374C795570F859F06833D1C68F0CCC220923F48830E82BD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027295Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:32.514{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D3EE076A2E5266D66E585823483BBE,SHA256=58BFB9DE57CE661C2B7658D488043CE6287D9E215A7EA6C46D8CD5B9FDCCAD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890353Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:33.897{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52DAC039DD8D1E206C9457FF683FD7F8,SHA256=0CA4AC475F590412FBA85C5044FE0619FAA6E67F86B04223F9CBC0ABA50E5A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890352Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:33.803{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCCF51209FC69C15B9516C4279460F3,SHA256=B0017C0FC590E020DE685E0F9FF6103189ADED5BE56E4CAA46A441BB3CB46AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027296Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:33.530{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E7082396ACE7FA4F1050DB5D48D683,SHA256=7EC7C788C3A1FE6439886315B72B7178DE4C127EF0A43474EC9F01F0D8BCDFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890355Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:34.835{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E5C01D8B34DD4DA16A5E3AF93BD353,SHA256=8B7D2093B9CEDF19EE5BA51055ABD25148AE9BB4E0807D1D6B489FFEE5F551EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027297Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:34.545{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659172E86B03E3AE69B3597F8A23DF1C,SHA256=02FC90F9556384039853B960EFD48B2D7A2761AE27B9A03F3E176FFFF0D5D75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890354Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:24.105{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52511-false10.0.1.12-8000- 23542300x80000000000000001027298Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:35.545{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2F0BA79A44B75D98A1048EC1AD0A9B,SHA256=3ABAE15157EF26CDD61FBD45CC1F234E58E2BE508FFC3E364CDB65063951E6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890371Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.991{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D22B08431A7B52B6580BADD0E10C126,SHA256=AFA5F8F8C878A0D8B95B632D1D1387E92600EB6E2E89DABC85692DBD85C90943,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890370Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.788{D94AFF6C-708F-60FE-9D78-00000000E701}1723052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890369Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.678{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-708F-60FE-9D78-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890368Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.678{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890367Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.678{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890366Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890365Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890364Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890363Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890362Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890361Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890360Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890359Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-708F-60FE-9D78-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890358Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-708F-60FE-9D78-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890357Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.663{D94AFF6C-708F-60FE-9D78-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000890356Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:24.855{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse217.160.191.146-63982-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001027299Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:36.639{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124D399C3267EFA9083499218990AF2,SHA256=F7B6C666301CC25278650F7C0BAC3C5AB14365D59D39708E706ADB92BB01B1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890372Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:36.835{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE8C90A3DF5FE0BCA89CC792A53DADF,SHA256=E3316D74C9831562EF1EA0BC56155F0D3C3808093D9E7984C17BC8BA0DE4733F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027300Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:37.655{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C1573FB05CB1780DDB781C4B0259F4,SHA256=E4975FD429CA51BCC78A64A1D361F97BB1CFD2977A7FD2ADBBDB9A50A48C991D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890373Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:37.022{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A366F56E5FB21BBEF70A41ED4C9C36,SHA256=8151AC24CCF34E8BAF5ECDF65733444DDE5C904F229730EC63ECA0C005EF31D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027301Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:38.670{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A7FA7CD3D5D35C5104F86B9DC4446B,SHA256=5B1B513EC3DFA5EED28FA7B6F4FE321DB4F67F3F333251473814697196AE2F19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890375Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:29.183{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52512-false10.0.1.12-8000- 23542300x8000000000000000890374Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:38.053{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C8086068508AB6ED9DEC27C3117009,SHA256=3220A6BF2FF0858BFF653EDCC7696BE0E62768D7C75F4C8EFA1F813D2B2D40EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027303Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:39.686{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB40C88094E3CD78B33280CD59F698D7,SHA256=E720FBE14D68F7DB2D566EE162D8189DE9E0F845464E3A11B82DAED3821AC5D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890390Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.772{D94AFF6C-7093-60FE-9E78-00000000E701}19761528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890389Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.663{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7093-60FE-9E78-00000000E701}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890388Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890387Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890386Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890385Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890384Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890383Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890382Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890381Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890380Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890379Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7093-60FE-9E78-00000000E701}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890378Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.647{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7093-60FE-9E78-00000000E701}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890377Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.648{D94AFF6C-7093-60FE-9E78-00000000E701}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890376Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:39.288{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF742E8E5EF1CEE419D7D29D9DB4899,SHA256=57D7E80982BF3838F63CDDA7C94947900486BD03057F215B25C9C6CFD851E706,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027302Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:37.225{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027304Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:40.889{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64071DFD17A84C6731FDD3ECFA9C2CF,SHA256=B84A0BD219209141BC0AFCC2C74A6E3E5FDA289BE3D134DB47812D9D12B20A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890406Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.694{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FEB92CED0F624C7CD0E58E9C4A442BD,SHA256=1CF23B46B6BC524D88F94101FACA3DC574C0518E7F1380AFB423AE0195D1886C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890405Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.475{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AD835DE3C70B9F6EEBA27FC717C1AA,SHA256=D45A936E1114FEC8A0CECBACE2482BABDD5E47E9C8991F190C030EF9EF255BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890404Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.460{D94AFF6C-7094-60FE-9F78-00000000E701}11203328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890403Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.335{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7094-60FE-9F78-00000000E701}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890402Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890401Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890400Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890399Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890398Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890397Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890396Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890395Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890394Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890393Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7094-60FE-9F78-00000000E701}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890392Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.319{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7094-60FE-9F78-00000000E701}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890391Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.320{D94AFF6C-7094-60FE-9F78-00000000E701}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027324Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.889{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB64DBB81BFF965AAA0E3457EF4780A,SHA256=11E1FF83E8E7A2A4F701257734FFA50C7A173C57D1B2F40C45BAA47049CE44C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890407Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:41.475{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B996DA6B6DB68EDF9499013B0CD27E4E,SHA256=6B5A4B77877FF068FBB6BFD2F1373FE76BA0D86880CDAA5D7E81BF83E1CFEED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027323Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.858{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027322Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.858{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027321Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.858{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027320Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.858{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366244C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001027319Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027318Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027317Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027316Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027315Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027314Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027313Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027312Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027311Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027310Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027309Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027308Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027307Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027306Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027305Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:41.748{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027330Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.920{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9A69E5A1F58AB682968C5D8699A1B0,SHA256=B9BF24B18EAB12CDD22CF1817F0F28440F1303F6B247555D833DCB71CE451CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890408Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:42.476{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B565E31F1CF8996A0000CE51919D44BD,SHA256=274FB763EF36E5EF58FCE5B6FAEB9FDB70913E830546DAF9420704D6B097EA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027329Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.748{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC733F242AEE0A37EA89E9635F951B58,SHA256=1911E3889F8CDDB5F0E10327ECF3F7A7ACE29720893CACA5D03649941B615ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027328Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.748{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5C7000C97796FA5185AAEA6CF8828F,SHA256=4DF62DCEBD9519CF4C31D6D93F5D4FF7F1CC35D82AA34E713B06242EA49FF640,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027327Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.415{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57373-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001027326Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.415{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57373-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001027325Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.334{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027331Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:43.920{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBF6F761CEC6F42908D8AFA9214F849,SHA256=AF453D5E79CF53D358B657BEB470A886FF3AA4582ADF251E6937D195F1FA6FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890409Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:43.479{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15AAD9529AE918615BD4C8FCBB79637,SHA256=6A70697878825CEBF8B5670B7F45C612F487A8B96840388A4F067D8347922B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890410Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:44.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83E25773740A281182B81D1072FD9C3,SHA256=E67C143FA3F94196EA055D3530721DAD08CD460FABE8CF423D53C5B214E08AF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027361Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7098-60FE-2979-00000000E601}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027360Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027359Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027358Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027357Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027356Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027355Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027354Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027353Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027352Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027351Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7098-60FE-2979-00000000E601}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027350Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.764{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7098-60FE-2979-00000000E601}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027349Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.749{2E2BE06D-7098-60FE-2979-00000000E601}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001027348Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.908{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57375-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001027347Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.908{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57375-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001027346Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.888{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57374-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001027345Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:42.888{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57374-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 10341000x80000000000000001027344Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7098-60FE-2879-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027343Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027342Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027341Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027340Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027339Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027338Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027337Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027336Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027335Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027334Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7098-60FE-2879-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027333Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.076{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7098-60FE-2879-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027332Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:44.062{2E2BE06D-7098-60FE-2879-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000890413Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:35.093{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52513-false10.0.1.12-8000- 23542300x8000000000000000890412Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:45.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F3570CAA46BCE2CD5F52EEDD6C6C6C,SHA256=5A08B92C948517CD2A697E6F85D006EE9057694AC1E29E6F5DA07EAF91EDEFA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027377Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.639{2E2BE06D-7099-60FE-2A79-00000000E601}54325824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027376Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7099-60FE-2A79-00000000E601}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027375Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027374Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027373Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027372Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027371Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027370Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027369Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027368Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027367Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7099-60FE-2A79-00000000E601}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027366Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.451{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027365Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.436{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7099-60FE-2A79-00000000E601}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027364Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.437{2E2BE06D-7099-60FE-2A79-00000000E601}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027363Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.248{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13289C53E00A68C5087698D14750FCF3,SHA256=62DFB69BE9FB6E5372CE95A2307F436E3F355EA90A106D1CCCF38B09636F4E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027362Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:45.248{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC733F242AEE0A37EA89E9635F951B58,SHA256=1911E3889F8CDDB5F0E10327ECF3F7A7ACE29720893CACA5D03649941B615ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890411Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:45.323{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2EC3CD6021F6F18E82C3E20521DB9CA3,SHA256=53BEAEBD2617748E2EC7473079A1B517BA3CA1D0F263CD406795C64011D7B433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890415Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:36.843{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse49.238.204.234-62660-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890414Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:46.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726D1169D1934BA1139BA828C2F201A3,SHA256=B6956F220C448219F7814AD491244C25045A77600521529686F9C27EF11B6131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027406Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-709A-60FE-2C79-00000000E601}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027405Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027404Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027403Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027402Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027401Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027400Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027399Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027398Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027397Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-709A-60FE-2C79-00000000E601}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027396Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027395Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.826{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-709A-60FE-2C79-00000000E601}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027394Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.812{2E2BE06D-709A-60FE-2C79-00000000E601}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027393Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.436{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C670A2D948235BF0EF9B9320F130BC1,SHA256=6B57F0D5F514DC703E192BEFD5390FFD751DE02A83CAC416DAD2D9CD005416E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027392Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.421{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2E307EEA6386787597350DA51BD764,SHA256=1A3F0FB3331D490D2239D450EF8AE9E015264803A8943EC4AC2C267F857362F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027391Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.311{2E2BE06D-709A-60FE-2B79-00000000E601}7606476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027390Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-709A-60FE-2B79-00000000E601}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027389Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027388Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027387Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027386Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027385Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027384Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027383Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027382Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027381Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027380Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-709A-60FE-2B79-00000000E601}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027379Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.139{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-709A-60FE-2B79-00000000E601}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027378Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:46.124{2E2BE06D-709A-60FE-2B79-00000000E601}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890418Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:47.526{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE892F01F98C8C7F162E34ABC972F74,SHA256=1372F524BDA4E5EF31312D83ED32F52E9D9086AE13E5AE1744E2A154F1ACBEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027423Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.811{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D664196CA643002552066D3B69A287,SHA256=5391E79CEEF6BF7B837325E9C6FD4347E17EE1CCBB6FDA903F48FB4982A60216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027422Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.701{2E2BE06D-709B-60FE-2D79-00000000E601}7088328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027421Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-709B-60FE-2D79-00000000E601}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027420Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027419Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027418Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027417Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027416Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027415Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027414Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027413Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027412Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027411Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-709B-60FE-2D79-00000000E601}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027410Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.514{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-709B-60FE-2D79-00000000E601}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027409Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.499{2E2BE06D-709B-60FE-2D79-00000000E601}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027408Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.389{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB83CADEAA3AB1A18299B32D0C9233B,SHA256=B3D1DE38B51B13DD651DE6AC2829A89FCEA34CDD53195A6D4DEFE8B31511C72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890417Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:47.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F23A22C37F99B5EFBE70986D73D30F4,SHA256=D8FCAFE4B15057BF20A250E3364591E953CE168D38AED1FCDDD33361789FC5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890416Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:47.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BE55723590389EA73DD51332B08A635,SHA256=185E31447E6B3C0587148D0FE2D544E3B9E0FA5FF20117C3BC56BB7C3D5BEE7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027407Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:47.061{2E2BE06D-709A-60FE-2C79-00000000E601}67605364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890419Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:48.526{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB5A3F965F477B2CC78790FB11AB268,SHA256=9331542D5826A047FAB0633C2DCEE80CDA376FC8DEBB5BABACA6C0EA08E0384B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027426Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:48.303{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001027425Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:48.009{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com47951-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027424Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:48.389{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEA0542DF79F585C156108E0A655D43,SHA256=444B570BCB8CADFB82F6FEB217E99CDB3D77EC8684B09D99A43D99A6456AE429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027427Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:49.389{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BE4D4751DDF686D86235F2CD09D27C,SHA256=7CDD2DFC8B2D08F9F077966BE87ED3895C368DBCCF43FFA10B3BEE5E8B5B7E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890421Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:40.249{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52514-false10.0.1.12-8000- 23542300x8000000000000000890420Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:49.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E604383BCA31273438F211E975EA989,SHA256=0AE4DF29991B99703477782018A12E34C4E9989AD300FD4CFF1FC63F213E0477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890423Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:50.557{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C20A767D1C7B3B014AB2ECB8088C47F,SHA256=C262C3D2B7986BA42FCD9F447A1ED452C2E2BE7137BFB16BBFC1FEFDBC2456DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027431Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:50.678{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57377-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027430Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:50.678{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57377-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001027429Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:50.780{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0377F3D3E03540B0E6D8DF86BFA40C62,SHA256=BD4D9D2E4E58AFC8D9EE6B34660BABA4610AD4E7A71A0784D9D9AD4779FC8F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027428Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:50.405{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B62647EFC8239980439B0BC2431D16,SHA256=086E9C4FC91664653745E2D0188C2E4738EDDD49CA7A0D576D8985E4499F7549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890422Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:50.057{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890427Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:42.077{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52515-false10.0.1.12-8089- 354300x8000000000000000890426Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:41.372{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net55284-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890425Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:51.572{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC979E4EA823D1A258CAB73BAC1A1C2,SHA256=316DD016AED2298BA84CA6C4428706973EB716D9A9F8E6502A186DCCB2247940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027445Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.811{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-709F-60FE-2E79-00000000E601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027444Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027443Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027442Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027441Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027440Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027439Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027438Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027437Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027436Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027435Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-709F-60FE-2E79-00000000E601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027434Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.795{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-709F-60FE-2E79-00000000E601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027433Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.780{2E2BE06D-709F-60FE-2E79-00000000E601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027432Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:51.405{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FFDE6F01FCBE6B4A1CC93A92181AD0,SHA256=56D7517BD432152100FCC61F418F810D6F34121406CC3084C8213F0A540089B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890424Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:51.072{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F23A22C37F99B5EFBE70986D73D30F4,SHA256=D8FCAFE4B15057BF20A250E3364591E953CE168D38AED1FCDDD33361789FC5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890428Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:52.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8342BECBA01AC5633E39D7A1980C77E,SHA256=A28F9206864806B79788BBA840430BD908D61A98F51AA70F76ED4DCBF161B5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027447Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:52.779{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB85359788032B5ECCFF3EC2089E3FF2,SHA256=CA4EADD011BD8103F0E9D03D579BDC4FE8EFDEA206FE2751DCC34D6E0808156A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027446Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:52.405{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94461D68879BC28F3F19B7A090E6FAD,SHA256=E4E0B61F4779FB79626B22DAA9785C61C5B0D8E79B0034A5611EC10E33BC5F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890429Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:53.604{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50822C8502A182D7FA9CE14DAB5E73AA,SHA256=BAA25B5A3D2AC8281EFCB2347D8879947BC89085F3BE510FDB0FF56F6C6C701C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027448Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:53.404{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C3E33C8794B5A8D7AFF970929D90AB,SHA256=D7B29799AA5B65001A63D0DA00630A4FE1786833FB16E5527D4759A03B841335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027449Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:54.404{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AE49BFC44B8814E444C7B56DAAC865,SHA256=496184DEDF3B123C72717145AE4E94B7AA4095731AD8E38464C3BB46BF596C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890430Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:54.619{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EF9FA95284842A7F0257A4CD511FCD,SHA256=91A01B0E11101EF38497DE37A5D341908A648C04ECA31E7FBC981070CCA44D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027451Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:55.404{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745827A08AF89A46BAA52ED1885AB6AD,SHA256=26CA4402F7357CE2D2E84E47B94866B799698E0D3240B0ACA5513AA4220A8FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890431Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:55.635{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0C78FF29483B99B09E6AA7284DDB06,SHA256=DE78627B5AB89B46146B0050E1AD8E74012841F9923A8C2FC5F702540032B1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027450Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:53.397{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890433Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:56.651{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9AC948C538BA798168DA8D4B66E412,SHA256=C1CCAC5AB017265D8B0A3CB0CA78444AC95D77CB338292CA5902B6F2589D5CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027452Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:56.420{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22048693C2E6BC194840EB0D48CB97D,SHA256=BED885DCE5210029CE7072E99521220C4D72C9FB4DF437C43D012A3A716A5E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890432Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:46.139{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52516-false10.0.1.12-8000- 23542300x8000000000000000890434Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:57.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8582BE6DD211DE82FCEFAB08415015E1,SHA256=71F722F1013873D1723038B1257017AF6A0561420E3C5F3AF4A3207691EA32EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027453Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:57.436{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743E26F1977DCE2BEBADEC5AE11C745B,SHA256=2C8B88941CC26B7E777F48FB553E8712D7FD0E83B4837846D575517BCC4A8D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027454Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:58.436{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C81F280E66E7961DA71E63E6B2C4AB,SHA256=F663F84E99BF1F182CE5B7DD4A8D9192329B01C6CDCE30AC7615A0E9A2D22D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890435Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:58.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709D4A80571C21E43A1D09ED5D552FA0,SHA256=AA1AAC5FADE77BC65C0F1D37A2F9F984796B4D3C1322472FA176700A6CBB2EF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001027465Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001027464Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fab15a5) 13241300x80000000000000001027463Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0xebe5d87f) 13241300x80000000000000001027462Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f7-0x4daa407f) 13241300x80000000000000001027461Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781ff-0xaf6ea87f) 13241300x80000000000000001027460Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001027459Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fab15a5) 13241300x80000000000000001027458Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781ee-0xebe5d87f) 13241300x80000000000000001027457Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f7-0x4daa407f) 13241300x80000000000000001027456Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:21:59.576{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d781ff-0xaf6ea87f) 23542300x80000000000000001027455Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:59.483{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D998D5EF966B7E0409DB2C1F37350242,SHA256=1A8B2522D3113705947551E7BB95CC588A3E299E863DAACCECCE7B1E207A826D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890436Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:59.697{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B302BB5DC98A3985E9224DC748A840,SHA256=DDD4BAC8B6DB5276FE5591EE2C097F97AF8EF68F78B68716538FE029ADE23BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027467Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:00.545{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5D0F8281BA03EBEF700CC9DA740485,SHA256=D3A8C456549B042D57B24B2EA78BACBA78EEE32E2DF9BAE193C28003A8B69C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890437Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:00.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231536740A6B534EF21090BC218C56B,SHA256=310B3145A00BE438E0DCE01493D8C26EBF695A4B731AE4C96E35E96168290A99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027466Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:21:59.334{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027468Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:01.639{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFA3B36D8B9B42CC584C9100DAA95CC,SHA256=CE3AB90D762CF505607D3BFCA6805A852482BA32704353DC3FB3B085749FEA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890438Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:01.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9076D2F342FFE588FBF4569EDB0674,SHA256=BD2DD15F36B66E6B3F1BFFA4471417BEA2529C1AE0445387FB4AF0AF95752991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027469Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:02.779{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B48C2660FA1513798695DC1BE5A591,SHA256=5AEAB8A3348FD8AF40CE4294EE03A9C0A600EE35023DB323B53712F7208440F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890440Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:02.729{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B882B690AA272B1CB5548FD7CAB82D,SHA256=E284AC03D1E0FC2BAA5193527FA4AD9CD5BFC809AA2F4F2524DD5360A76613FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890439Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:52.155{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52517-false10.0.1.12-8000- 23542300x80000000000000001027470Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:03.811{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20327C4B7329780399183D9CB9E4E496,SHA256=0DFCEC9F46E9A09BA67C326B8D26598AF91315BAC474D0ACEA2F36BA073B6AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890442Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:53.667{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse165.227.69.223-60586-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890441Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:03.744{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4881717E4F72490D086AD80AC442CC77,SHA256=41D09A19666A5EDEFA47C480EE0DDC3320EB1881E609E1BCD9F6E0D986D54A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027471Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:04.826{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A85E4D194EB03DDA4E99E995061907,SHA256=A18AA5251B4A9F525DD2A8A0B603040B90902D9CEA159A556E82FC05668DC044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890443Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:04.760{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA7A7F22926B9980AAF287F951D63B5,SHA256=9E74FDE0AF7121004B9CD651677FD1A8FFD04BC733D5A1D2343137A47509E244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027472Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:05.826{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9652DC20EEBB5B84F47C909B6EC665EB,SHA256=8CF717DCA2C981F3F63BE119DCE29E8ABAB75F4E1D37ABA07DD538D6D3AFFAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890446Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:05.776{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45886063102C3F5BAB76F53BE8180EC,SHA256=FC6EB68523F516E34EAA77F8FC11DEA1E0E97F4D9E87D35E35DF9E82CE927977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890445Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:05.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02912D852EF91FF7FCF52D9AC3150C32,SHA256=98C479E75DAB93B0C050A8E090AAA7C554722D729F07B56074B1C40333BD71AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890444Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:05.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFF7BBBE7D81066779376C8EC2364024,SHA256=D1BB6B92679D96CAAE964E1D9BA34CD7A1FE78278F8A172771A04555CBEC189B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890447Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:06.776{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383346DB884D6EEAC27F3377DF0826BF,SHA256=7ADCD334B23704BC50BF166831BE8D6FD4F08F66A838A23342E00B8CC10B7186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:05.303{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000890449Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:21:58.186{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52518-false10.0.1.12-8000- 23542300x8000000000000000890448Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:07.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ECDE962B475A7AFA7F5194FFA24861,SHA256=EC1F3464AFB9384A78EDBE9BB7E15E9F0E2AEC7EE22550955FAEC14464BE48AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:07.061{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EB3020DC99B2E64C941278F7859D39,SHA256=61904849DA8098988B0516B12C5D32D8E2D92C3DF21BB58AB2109A6D48B7EE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890450Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:08.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A481464EE00EDC3E84B106E9CF67553D,SHA256=534AD0E449FA026D95950C7EA6F2BA8B012FDC6CC2A16345A113694BA6AD73F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:08.061{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C139C3050FB0C00AF9556947C13540,SHA256=836FABA9580FC9591C514A835D5E9FDE7F670F15358818F14F20AE198ECAD3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890451Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:09.807{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FC91B0518271081A4448A1F3DDAD76,SHA256=98FDA305C6590325CDB0474C2E354F3CDA08F09240E6C44E0D67BDDA051CBED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:09.092{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082BD8951E6AF6CF3CD8C3D5EE30F4C9,SHA256=BF7A1F2973DA60A13173DFB7C1EA32B4C7A7DB93512326527D479040807AFF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890452Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:10.822{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D0E09FB1507065CD7B7431B0298B89,SHA256=9C0D54C3469ECDB54DEFFDD691AE2AB5E09B2D4F5C1B0D47445D9B08C4C66CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:10.126{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B18648DDA6550463F0D1B0064864C02,SHA256=0C117034EA139490EBDC87F8EF832B6F1B56B8F983078ECEF511461ACFB09A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890453Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:11.823{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0252883E573CCBF6EF36D22B9A8C31,SHA256=9F8B017D5D14C0472BE21B943E68A8454A159EEB5ECCB57451469A3BA2C11E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:11.228{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:11.127{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2216620E468B9E2BF501CED94C3AAA79,SHA256=7286F30950C5200080D61CB53502BDA9B091E02716AB3841752EE3919C968447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890454Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:12.838{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FD27F11449485B4AE16399500F6ED9,SHA256=3B8C5FBD91379F3C52E269E71AA1F51A8CC75E2B7B6C4F60F0F4C2F5351AB557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:12.158{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C1BD34A54FE3C489281EF7CAC36B7D,SHA256=593C464B4860530E8DAA83ABD8575A3426B956BAA666FCDE38EC79B32DCCEB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890459Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:13.854{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5F1560622033CE794DDE4C6666E83C,SHA256=B598AD90D6ACF0CADA615CBBC46CBC55F2D07FA759E6DF13F257F7CBE0B788CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:13.158{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DE6AD49EBCC0266C14FB36188FDC30,SHA256=CCCCB9CC74E4A74FF5E3BE3945652713F3F87FEE847C292F97218CC3B4B7B542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890458Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:13.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E1C688FE55B52B4C7C666FB98D3F2DA,SHA256=63AD4D19A6D6E1D51CC6FFDB7B2F073762D27287257745AD5B9C930BF1CB5C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890457Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:13.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02912D852EF91FF7FCF52D9AC3150C32,SHA256=98C479E75DAB93B0C050A8E090AAA7C554722D729F07B56074B1C40333BD71AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890456Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:03.305{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-55188-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890455Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:03.233{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52519-false10.0.1.12-8000- 23542300x8000000000000000890460Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:14.869{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2085AEBDA229A7A9555077D269418816,SHA256=4A304449C75C50DCC8F5BF13C5BD0C1B350A02129CB8726DEF2516745ED59785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:14.158{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A135B24D894D92F52C344332FFD89033,SHA256=DEB0CDB4699F49D4DE6A56314501556DB9B6B091422563D1820EF1DC8F58D8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890461Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:15.869{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B79B8848DAD566D921F9F8DA171BE87,SHA256=4D42E7041954FA66C04CAE06D76CB851C5FD03A19537799D0FB7C72D126B8CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:15.189{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D728F71D79E0806F7282E77423EC331E,SHA256=4B47D4DC5C8DD5EAF3D7A20A609436BE0F5A924BE11DD4318BDB462475085AD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890478Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.963{D94AFF6C-6DD8-60FA-1700-00000000E701}12001676C:\Windows\system32\svchost.exe{D94AFF6C-70B8-60FE-A078-00000000E701}3912C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890477Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-70B8-60FE-A178-00000000E701}39163892C:\Windows\system32\conhost.exe{D94AFF6C-70B8-60FE-A078-00000000E701}3912C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890476Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-70B8-60FE-A178-00000000E701}3916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890475Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890474Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890473Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890472Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890471Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890470Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890469Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890468Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890467Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890466Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.901{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-70B8-60FE-A078-00000000E701}3912C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890465Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.901{D94AFF6C-6DD8-60FA-1400-00000000E701}10442336C:\Windows\system32\svchost.exe{D94AFF6C-70B8-60FE-A078-00000000E701}3912C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890464Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1400-00000000E701}1044C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890463Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1400-00000000E701}1044C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890462Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:16.885{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9104132ED78A09BE425DB2E4F9529A,SHA256=9397E05E859B55B69F2FE9E27D52618B633F546D8BD70110EF3B9A1227E95723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:16.205{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46769EABD5E5A49B9B4BEB169496F69E,SHA256=F038F675FCD9C3D453B6D18CF0F01DC08351CD727E63944097958D3A9959CC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890480Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:17.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E1C688FE55B52B4C7C666FB98D3F2DA,SHA256=63AD4D19A6D6E1D51CC6FFDB7B2F073762D27287257745AD5B9C930BF1CB5C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890479Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:17.885{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE51BBFCEBA2A4A75D94268F99EF3799,SHA256=6A86015FCAB236DA836A09AA3C88458DFE9E8D12D6EB4917E9014BEF244E3DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:17.845{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=03CB997D78B0E1C21D00506D24076BFB,SHA256=32B3CE3310881F3AD2D192A1B1498715CF873CD23EA4715A0BF837CE6AA8BFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:17.205{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235FC680650CEB76F55D47211ED9558C,SHA256=E69E67A1214B0126D086D761D3AF1C484F30047133FC01C4B5C9D21B98465E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890481Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:18.901{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F768D71B8155D5993DFF9BA675DF087,SHA256=CAF1C30AE0C357B21D62C14657B8EED109B96B5F8C765F78180BE6B0989E83DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:17.260{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:18.236{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC2B5DA63B808E0B06F1C04890215E7,SHA256=1E2EB180E9D15BE8253DE9A0A7637E7AA2002F1A73992B6FEBA6E2D46D77CCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890483Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:19.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B30431CB8837DD4B7EECA2C4AF1277,SHA256=E023B89C6F25B518E32C38347B14D665333A81A03AE9D1889830F38B8378DA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:19.236{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D0CFC309AA4DB8992EBA6C5B6B0E92,SHA256=0A1A9FE621C1731C126C9E586EDA6421395315ED029D8BB12EE4317241B70A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890482Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:09.175{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52520-false10.0.1.12-8000- 23542300x8000000000000000890484Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:20.932{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F42D64C6288733D2F124E266F1EEB11,SHA256=D90B7770EBE624EEF831EE8D110A009A2980B2AE0E53069DCEF656A28F7873EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:20.252{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0EF6AFDD48AB34BD4CF45EB815E8B9,SHA256=F4C49A448C38E421B59E1511A1EEA222BFC180657BDA3DAF527AC436131F11D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890485Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:21.948{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D09EC70B95360B6C507B5B1E6AFAD63,SHA256=502C2D236BB845FCBC8FA355096BE6BBE0EEEC438241332182EBA0FF253C06D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:21.252{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7150DD8995D0F76A7583BCA15CE1B224,SHA256=585F0BD31A90DC143AD21C143335D6EC6CBA28FCE0D9A786D616290E2AC8FA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890488Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:22.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B64F3F77C8255AE872EBC9A26285ADD,SHA256=CCEA221DF47E138B8B98E2E69BF3480845641FAC52E95ACCACD2C7BC17955065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:22.252{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7CCD10E4AFA3831F40AAB0A7848C9,SHA256=FF6C12F6EC5B768546D12317080EBE70D9C208C18EC3B433220C5C5ECCF113D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890487Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:22.932{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DD4B1196E9D093CB885FE300F8503F,SHA256=F1FF483308DB514EB8B5B78ED9BC8FDE78944F2CDE1F8CF584C5CCECFB7F6F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890486Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:22.932{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B4310D156EF46C7BFDA9F7A31CEF85,SHA256=6B5D3524443136AF52658017486F17E23CE33B87AA292434183924CE057F8D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890491Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:23.979{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF674B09F64250B63B1C3436359D0E7E,SHA256=DB97FAE906BDA2DA1D2E6E0506CEC8C97B68FE6274D266EF7BBEB08DBC40F74E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:23.182{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:23.252{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48356E84593DA831E38756BA510D7925,SHA256=C073C848C924255D43B31AE44C0E83C931D49E44E37D2CC53BEECAFC0B1095DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890490Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:13.868{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net58243-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890489Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:13.816{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-53223-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890492Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:24.994{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38789B01E53BC6DE44011CEE643C6AC3,SHA256=1478D5230CD8B7CCA914A942752926852487CAF4FAFF8C992B40824AA7A4B9A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:24.970{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:24.283{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F181672A019CD7AC478DFF3DE858368,SHA256=03DD30E0E5ACBF3E79B6135FD154571F8844C9D188A0E457E95C6E0404F240D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:25.283{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3F30AE372D7F895EC4ADBA33007D2E,SHA256=5691B1392CC521E53AC09337C41E5B665BFE5E55CA2918B5850782F2A42341CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890493Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:15.170{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52521-false10.0.1.12-8000- 354300x80000000000000001027499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:26.088{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001027498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:26.517{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054C03BDC372E710525A5928E51DC3B2,SHA256=8B1ADFD0B407AA94C960A08F28E6B58BDCE7A57276BFA1080D1BCDF542FCA368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890494Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:26.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B1F319B4683BEF293A2767A873B0BE,SHA256=512847BE4830E22B22A1BA0A9B1F0D13B289FFE2BAFAA3BA2FED40F4DEAE78DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:27.580{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943150F543582FC6AFBDCF7481AB4EF8,SHA256=0D6C6B2D2CBD9789376632FCB97E4C839A6D575A328891C15990AE35B2442BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890508Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.916{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70C3-60FE-A278-00000000E701}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890507Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890506Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890505Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890504Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890503Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890502Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890501Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890500Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890499Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890498Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-70C3-60FE-A278-00000000E701}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890497Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70C3-60FE-A278-00000000E701}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890496Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.901{D94AFF6C-70C3-60FE-A278-00000000E701}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890495Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:27.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02639124FFCFAFA34497E790E070363,SHA256=A8404F0D298C783A618B7726C41E4BAD8099503CB077D3D2CC127C7887ED0FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:28.354{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:28.627{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC2CCABD53D0DBAF6B6F6223E06E5C8,SHA256=A7D0FB414AB9E78C3310FFFAF1BA7F4C7479D6F3EC73C1D21FB549508759036F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890523Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.698{D94AFF6C-70C4-60FE-A378-00000000E701}924296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890522Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.588{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70C4-60FE-A378-00000000E701}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890521Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890520Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890519Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890518Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890517Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890516Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890515Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890514Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890513Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890512Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-70C4-60FE-A378-00000000E701}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890511Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70C4-60FE-A378-00000000E701}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890510Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.573{D94AFF6C-70C4-60FE-A378-00000000E701}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890509Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:28.041{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D1B1390109923E4E52DFAD1CB5ABBF,SHA256=F747F19CC093B5D6541D5DB361CAEDB1A7999F18206FDBF2AB1CF9C1D498894D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:29.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ECABC3D62619F8F55DC4DF180DF48B,SHA256=FA2427BBA37D42F6EE626CA40499041A62F87A7FE95D31936AE39F9E3134C436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890552Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.932{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70C5-60FE-A578-00000000E701}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890551Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890550Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890549Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890548Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890547Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890546Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890545Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890544Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890543Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890542Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-70C5-60FE-A578-00000000E701}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890541Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.916{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70C5-60FE-A578-00000000E701}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890540Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.917{D94AFF6C-70C5-60FE-A578-00000000E701}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000890539Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.260{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70C5-60FE-A478-00000000E701}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890538Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890537Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890536Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890535Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890534Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890533Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890532Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890531Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890530Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890529Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-70C5-60FE-A478-00000000E701}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890528Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.244{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70C5-60FE-A478-00000000E701}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890527Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.245{D94AFF6C-70C5-60FE-A478-00000000E701}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890526Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.057{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723148D37B4C2EB8612F46B8F02BDBD5,SHA256=445C39D5820CB6501A42C5990ABAAC13AAFEC0681075546CB76F1D3B57DDACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890525Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD01C68CA5195D83D28219AF1E68BC3A,SHA256=0B475D84774896F7F3972A29CB8828EB7641F2091FEC00939DCFBFC523BC6D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890524Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:29.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DD4B1196E9D093CB885FE300F8503F,SHA256=F1FF483308DB514EB8B5B78ED9BC8FDE78944F2CDE1F8CF584C5CCECFB7F6F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890554Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:30.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95219E1219FC45D126733AA330BD67,SHA256=A3E504A34FA510EF9DB4B6EDAD69577C89AECA5E64719928E1DD5E16E79FD3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890553Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:30.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD01C68CA5195D83D28219AF1E68BC3A,SHA256=0B475D84774896F7F3972A29CB8828EB7641F2091FEC00939DCFBFC523BC6D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:30.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D952EAF95B4A080D19E486CB20DF2177,SHA256=EED59252B57ACE7071075D9FEFAD09C73A9D05B14A6A775274B0BED8019ED1E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:31.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93445433698A98B555A98AF0EDBA31CE,SHA256=5D4DC8C7B67CDFCF9DFF4ADAB43DDF570957655AB8AB24B8B6C87DFF40A9C0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890557Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:31.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B953D8C0D2B36FF0D6D8D23ECF6F9362,SHA256=805409EBFFBB2A8A3BD22954D0994B6986E244FDEB08C5FFEA6061698DC467D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890556Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:21.657{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse50.212.63.14-56175-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890555Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:21.091{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52522-false10.0.1.12-8000- 23542300x8000000000000000890559Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:32.948{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88D304AC0CEA779E9EE8F422A85D70EA,SHA256=B21710D381B9FC8CB98C40D966BB0C8DBA4353DE729C94E8DED2A60014D59170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890558Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:32.823{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324E86176355D858610F094861ABCCB2,SHA256=E5AAFCC2351099EEC75B866E64DEB58DCC631807370D4315D50E7149163005D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:32.627{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491B1CA4150FB7A3B89CAE1F0A142E75,SHA256=85ECA0507607EFEC6C7A7BF7C649E167B74581B3A3FCC9BE52CF886DDD3522C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001027508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:22:33.986{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f7-0x627b308c) 23542300x80000000000000001027507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:33.642{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE6D2519F07D2AD635783F2AC01F5AE,SHA256=47E08FFEE2F43BB8DEBAB969E7A607A0B0B96820974E9C76A7A987768604F199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890560Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:23.252{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net49183-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001027509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:34.642{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F11C5FD411404E2BFC20614C523398,SHA256=8F17C73E47BDBCB7C7CBC39A95D6A3079828FCE6DECCD61B504D5FB7D5FB86AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890561Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:34.041{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C558D483F0DA947C2EA9E78A58283A9,SHA256=3D895C278389253B7A0B7963A158FA503FA499BF641B09470E4D3D5E3E8E81B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:35.658{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A0421355C8ACE6D588F54067B42817,SHA256=258C6DC64EB64C1003F9DED190BB6EFF22FE5A0591DECD9C14E1035C10E5F2A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890576Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.807{D94AFF6C-70CB-60FE-A678-00000000E701}34282864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890575Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.698{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70CB-60FE-A678-00000000E701}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890574Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890573Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890572Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890571Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890570Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890569Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890568Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890567Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890566Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890565Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-70CB-60FE-A678-00000000E701}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890564Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.682{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70CB-60FE-A678-00000000E701}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890563Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.683{D94AFF6C-70CB-60FE-A678-00000000E701}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890562Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:35.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF8C50A7D65D91587B22CE800FA5214,SHA256=6EF9D60629CDC248FEC20B45795042356A038E2C1CE0F0EE307EE1FFD6648340,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:34.229{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:36.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9A41CD4192B6739CA6BA218FCF98B7,SHA256=A25D428C895C16C468387EC2166FF0FE010CB8D5A488AF482113BB6A58169F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890578Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:36.698{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0FFDDA3DD93B836523BB4044D8892A2,SHA256=9F4A7CA8BBB9AFBFEE56DF3D1C596646135484098617ADE07B625C250E1F64A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890577Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:36.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A26DD6772FD07FDD0725D91A638CBBB,SHA256=723C754ED8709AA9FB6142EE8491CBFBF2B222B4C19B7699F881099919AF54F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:37.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B8676F2B8EF552B10ADE3EE86748DC,SHA256=FFB44261DB16C29217806AD0EA4E0A31267E3B3756DDC6DC440A9935A56DAE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890580Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:26.216{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52523-false10.0.1.12-8000- 23542300x8000000000000000890579Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:37.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB484C929EB06D9C578D89D6B6C385D,SHA256=920A64C8FB2F183E7BC20FED5A6A5FF52B41BD015B703311D8285BB171C8521C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:38.705{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B8F68235396CB90E93862A9582AADF,SHA256=EA2CC0602A92DFC66B1D166994C2E99B4F81C4C766B1F30438883641ACAEC7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890581Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:38.166{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A2492A92B173BA4A84D037502DB8AA,SHA256=695BDCA4454584FF22B4BA662F4862EBC3BB61BC95D8C06B0F3E66451AF39548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:39.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB52732A98B137ED53C6113E147D920,SHA256=ABBC47AC62355117FA01A584A67252645540A372446874A62C092E41B592A3F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890596Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.776{D94AFF6C-70CF-60FE-A778-00000000E701}40603604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890595Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.651{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70CF-60FE-A778-00000000E701}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890594Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890593Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890592Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890591Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890590Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890589Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890588Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890587Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890586Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890585Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-70CF-60FE-A778-00000000E701}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890584Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.635{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70CF-60FE-A778-00000000E701}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890583Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.636{D94AFF6C-70CF-60FE-A778-00000000E701}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890582Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:39.182{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80FD9792A38DC903113DFFC6FAEDD34,SHA256=850C5C480AE859068A1B448DE06EE03609F1DE01128FB821B23A20E1764375DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:40.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382351BE636D3ABCE62097450BCB8D78,SHA256=B947A93176B4FA944277D1A88A687B0A8BD8E769B38E534CA4F0EAF11A9E420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890612Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.760{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932EF2D156E1E6913B15FD0350710E90,SHA256=8DF19BADC31FDFE0CD23DC13C7EF3690AB0FE649AEF6B8323A82575745AC5E07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890611Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.401{D94AFF6C-70D0-60FE-A878-00000000E701}29081696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890610Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.276{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70D0-60FE-A878-00000000E701}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890609Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890608Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890607Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890606Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890605Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890604Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890603Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890602Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890601Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890600Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-70D0-60FE-A878-00000000E701}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890599Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.260{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70D0-60FE-A878-00000000E701}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890598Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.261{D94AFF6C-70D0-60FE-A878-00000000E701}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890597Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:40.198{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769AA66F21531160B9388E280B5E961C,SHA256=184FFF747B260FFDD9A5EFE09A86E2398F091790510D875DC55CB98173F6C604,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:39.354{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:41.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3E575302DCE4C33C4074037B074BFA,SHA256=69B7637A95DCFAACF183A82FB23B9C6AB3E7BB5F74010FFE70012232ADE2D007,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890614Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:32.076{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52524-false10.0.1.12-8000- 23542300x8000000000000000890613Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:41.213{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D2030D27BD87BAF7897A67426C0634,SHA256=217590D07E59DAE1B3C89D1A26B0A71E68AE05028F704FED2F7A43C08542DC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:42.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAF88F652B996368D6B837ABC322FF5,SHA256=1C2AC72440F3D44DA864C07D7733C9204EEE71567D931F97DAC38502C533F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890615Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:42.214{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B395ADE6B6591986D676D5B5A7DA1FE4,SHA256=1BE485C6AC0E3E839BD84EE5565DA2534BB61B4CF7FCAD6EE32828A8EA6695EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:43.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FFB0C7A15CC45A16E9A816E4FBE40A,SHA256=91898A0187652CF0E712234A1920CEC3E0AB7371C0B05B5EFF26E895E5BFE695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890616Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:43.227{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED7D4EB1C5682B4C086C56D9B0C466E,SHA256=EAFA09EBDFA0D2BFD59E3C3129C337FF391FC59485E1E20D1B95D89E221B0CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027548Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.783{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D4-60FE-3079-00000000E601}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027547Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027546Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027545Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027544Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027543Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027542Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027541Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027540Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027539Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027538Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-70D4-60FE-3079-00000000E601}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027537Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.767{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D4-60FE-3079-00000000E601}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027536Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.752{2E2BE06D-70D4-60FE-3079-00000000E601}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027535Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CDC8BE8A7D36CA4F0DC3357F70F8C9,SHA256=57A3C013C12A6B8ABF051CA2783011EF10BED7E2F69AC5029007D163607F2384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890617Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:44.228{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D3C41625F59C0C3E15EE8A6D48229F,SHA256=4999C595DA93AD7F0FE7A22D1609EAC93AA21755F4FC673FB63CD17E87C70F28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027534Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.314{2E2BE06D-70D4-60FE-2F79-00000000E601}58164936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027533Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.095{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D4-60FE-2F79-00000000E601}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027532Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027531Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027530Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027529Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027528Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027527Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027526Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027525Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027524Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027523Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-70D4-60FE-2F79-00000000E601}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027522Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.079{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D4-60FE-2F79-00000000E601}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:44.065{2E2BE06D-70D4-60FE-2F79-00000000E601}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027566Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.939{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991758BD7D5FADB9A07D6DB9323F1AA0,SHA256=1BA3F8F43BE0509F448F916A7355FE7183949A81E636869B301CF11587650522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890619Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:45.338{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4B889B700666BB0E58BB9E0F0F2CF61B,SHA256=C2053D36EF43A6DA96F9ABC2AEA049FF0E7D8F0EFCBC349956D6652270F1525C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890618Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:45.244{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550F4EF6A032904332AB959DA16A1D6D,SHA256=975D7AB7D309A8C1FF6DF3B7AF6FC7366DCF5F01B3034940309B48A150EB1A14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027565Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.736{2E2BE06D-70D5-60FE-3179-00000000E601}46003164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027564Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.486{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D5-60FE-3179-00000000E601}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027563Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027562Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027561Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027560Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027559Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027558Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027557Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027556Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027555Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027554Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-70D5-60FE-3179-00000000E601}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027553Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.470{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D5-60FE-3179-00000000E601}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027552Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.440{2E2BE06D-70D5-60FE-3179-00000000E601}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001027551Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.229{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027550Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.064{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75DBA212371C0DF382EB9FF8228D07A5,SHA256=597049D6EC27B3E182D49D9E9F9BBFD2C7D2CC2FFB37F6E500D476930DC435F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027549Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:45.064{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D1070E472C0886F386BF6D2411AA6E8,SHA256=69211D198BFFC504CA067A51E78BEFC1D5863E0FE4E68DAA93DC808FE0528871,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890621Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:37.200{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52525-false10.0.1.12-8000- 23542300x8000000000000000890620Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:46.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F6D25FB8F37EBF1549CF9C0FC85BDD,SHA256=80AC5DE15E2D77CD7A70EC0751FEEEAF96A26FB0FF9AD4A55DFAF8E86C322D39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027594Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D6-60FE-3379-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027593Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027592Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027591Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027590Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027589Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027588Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027587Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027586Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027585Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027584Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-70D6-60FE-3379-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027583Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.845{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D6-60FE-3379-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027582Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.830{2E2BE06D-70D6-60FE-3379-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027581Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.470{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75DBA212371C0DF382EB9FF8228D07A5,SHA256=597049D6EC27B3E182D49D9E9F9BBFD2C7D2CC2FFB37F6E500D476930DC435F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027580Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.314{2E2BE06D-70D6-60FE-3279-00000000E601}66045924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027579Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D6-60FE-3279-00000000E601}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027578Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027577Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027576Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027575Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027574Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027573Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027572Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027571Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-70D6-60FE-3279-00000000E601}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027570Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.158{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027569Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.142{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027568Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.142{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D6-60FE-3279-00000000E601}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027567Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:46.143{2E2BE06D-70D6-60FE-3279-00000000E601}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890622Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:47.275{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8C5491E5BE577EC7795C23CFFA13B9,SHA256=A32EEDFF83260732FB6D7454DFFBA74A2AC09D0E34CC76F0870E3C9673F0182A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027610Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.876{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEB51C2EB18D707D2835D80097717CB,SHA256=4E382680484FA3FB95FE3793EB67BCF5372A7DEBB1D02C03D359032AE1E2B4CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027609Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.548{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70D7-60FE-3479-00000000E601}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027608Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027607Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027606Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027605Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027604Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027603Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027602Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027601Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027600Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-70D7-60FE-3479-00000000E601}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027599Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027598Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.533{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70D7-60FE-3479-00000000E601}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027597Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.518{2E2BE06D-70D7-60FE-3479-00000000E601}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027596Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.329{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CF61C5B4A5145A51FE11AEA3408E4C,SHA256=8D9F942DE8E6089843A52747EF27D5C97886A5B48CD16136E28EB14C76D4A617,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027595Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:47.158{2E2BE06D-70D6-60FE-3379-00000000E601}40244888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890623Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:48.338{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6501E5D831D57AAEA9CCFFF07F386F2F,SHA256=587F5F0F16914A402660F1BE8169C1A32038FAFED93790C4E9A60345B9CD25A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027611Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:48.376{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B669EAFF1A2FB3DC6BD2768656CF84,SHA256=670EB63F1A2FCCB636BA2D996C742C82E6671F82DA02D4AF0B02A33C1260A05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890624Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:49.478{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2C6B74C586962505289438D60E653B,SHA256=6B5B10DA60129EBC23538CBCE19E18DCA51757FDCDEAFC9106FC49DF51D5E8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027612Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:49.408{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DFD2A6976AD35D151D81CC161B40A3,SHA256=F167965A1AA084AEB686D6748BEE6E8B47C84BAA52C2D5EC67D99B8C78589FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890626Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:50.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273BCFD6579DBE7D372F0468E1E62147,SHA256=DA6DAFB754CFD2851EA79FCDA802801536DCB21638F4E6465472DC49A64E7A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027614Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:50.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA07FDC239D72BF3A77B82FD5FD71A6,SHA256=A3C3F8EB02F9241C256035DC1DB097082AC5DACF5C5EC579A59DAEE0421289B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027613Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:50.423{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB714F66743E1EA92DA77C6DB26FECF,SHA256=23ABE62E5E4C18195585416F2D97C45641327B3EC142791313A5B8223694BB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890625Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:50.088{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890627Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:51.635{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3076EE1B8B8087AD1003823FE1244D5,SHA256=B42332F9C16B0E6ED8E56E80F02C45E5B8ABB0A70CB431D110C29110454BAE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027630Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:50.682{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57389-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027629Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:50.682{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57389-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 10341000x80000000000000001027628Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-70DB-60FE-3579-00000000E601}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027627Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027626Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027625Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027624Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027623Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027622Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027621Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027620Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.829{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-70DB-60FE-3579-00000000E601}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027619Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.814{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027618Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.814{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027617Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.814{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-70DB-60FE-3579-00000000E601}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027616Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.799{2E2BE06D-70DB-60FE-3579-00000000E601}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027615Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.454{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5820FF380DE62D890F7FC62C4DCA4B15,SHA256=66EF5A07CB2A22D2772169FAD3F6A33282C050EA8E34813CD149AC7859468F11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027633Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:51.182{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027632Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:52.814{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=207576805320402F7EB85F5044418D25,SHA256=2AAF1CD5D3EB55C73736A8BF61919FBE664682EACE26C817922716B714CB801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027631Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:52.501{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD18A5D470B29A3B7DE95BC39720CFA,SHA256=BD42C495A0461ED59A74CFA1AD9CE2F8D83688D8310BB2DA03E8A531A374B472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890629Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:52.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D9BEAD073F33C3B5ED58BFCC877A7,SHA256=23D5CDBA1DC9534247737560D868686C9DBCAECEF865D18B68B79DCF72F183DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890628Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:42.106{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52526-false10.0.1.12-8089- 23542300x8000000000000000890631Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:53.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21F5F246E697464AABA02E6DE064C6E,SHA256=F6774413027CEF93CF74CD871FAF3F325927692F726C15B7B0BC43D9B9A0D283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027634Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:53.501{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7912072B5AA9F326937FC7FAE222C5AE,SHA256=900D27D38D9A5916CA57CA51E38F88E903563556088AB5D6EF36BF6EAB21C79C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890630Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:43.122{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52527-false10.0.1.12-8000- 23542300x8000000000000000890632Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:54.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A3F4500F7C4EC15B7A3870A0F3B6B9,SHA256=480C3E7B07B0705B78D49ADB370C22C2D37838BFB55637C4582D1934CB74A690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027635Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:54.517{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8EB971DA7388FB7E1F5448709BB3E9,SHA256=7D8CFB24CFA86D6232FB6148A0AA15E51B90D3A26CE6D3CB045435E0456A2A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890633Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:55.807{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAF1BFE9D71247A63A6313ED4B93BA9,SHA256=82338E1108FDF8EE1C3AEEFCFDBF27A4891DBB17514236F6D14A114EF8978360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027636Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:55.579{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B36326A284238496417FB2B358281F,SHA256=CF5A5697BE8798F01AA3F9BC37E0D1C8C54A9913AF3EA14AE22AE4375F4BEBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027637Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:56.595{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCFF43ABC8694B9A60A4A43A158E8CF,SHA256=DAC5E8927B47E21536A8FF1699DD43789F3731325AE6D665494F8546FE1B9D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890634Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:56.854{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69BF68B97D8CA0BC123B832F3B21FC5,SHA256=D262E11604D30803D45E2F469AC0DF977605485D7306C290B8802CFC5969CB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890635Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:57.900{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EFF32CD1C4E62D55DD16F26B707E43,SHA256=BC946A82344F04EED14203B0A643BE141BC0F271116336E603B868324FF280D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027639Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:57.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA3B6A1FD2A8DE28E1B999D4CC5FD4,SHA256=0C09E0520DE0765224D1665FA5E681887492608B54ECEB8C11E5F90A15294275,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027638Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:56.338{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890637Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:58.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F9A3D11BB4ADD39F601ACF71CEF5F1,SHA256=02B2A7068ABEF59EC8E0BCB6AABAAD97B7BDAA599CEF052AD12D6CC8449DA926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027640Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:58.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF3693C232F725F59A856285906C138,SHA256=4CB91EEE88BD5FA7DB6078E018109D14686CBAC249822AA3DB9524618923F5E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890636Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:48.247{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52528-false10.0.1.12-8000- 23542300x8000000000000000890638Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:59.947{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916EBE39EE7B52B1E5B449212566737D,SHA256=C20770E9F8C68223333AF4BBD12065EC2E4793155D331E618FB8D7C115F15F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027641Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:22:59.626{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401FEBE64BB9A5FD01184B40B0865688,SHA256=91DC15E57C52E4D4D277A8E117F134F0D81C0B5156A98C56AA7356C27B592DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890639Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:00.979{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD74FEF51843FF20A42BF1849148A00,SHA256=DD1FB758E2B8B3DE93B9C692DB35119FB6C83CCD82ED14894218A4EF068FB817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027673Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.939{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB6C04F8984CF51588F6A9A7542BB20,SHA256=9EE5F9EF2725A0F0B447A2C4B58CCDB28442C3BE595879F814ED75FF5E4295DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027672Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027671Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027670Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027669Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027668Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027667Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027666Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027665Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027664Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027663Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027662Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027661Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027660Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027659Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027658Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027657Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027656Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027655Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027654Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027653Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027652Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027651Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027650Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027649Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027648Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027647Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027646Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027645Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027644Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027643Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027642Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:00.189{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027674Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:01.986{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48745D0F3C13888F83465D6DE3028B2,SHA256=80B6E729FFE0CDE1C0326FC2314249E052F723AA2FA0CAE4F4F0A6758DAD6041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027675Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:02.986{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA0FBDA8F3A45558B93D636BB964309,SHA256=C966243FF2A0B8A4F25922620E5384B5D4F0013219CEE5D8C23E087D16109707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890640Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:02.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C122E27F6D6D0C15F15D04F3B0650284,SHA256=5EA8636E1BBB68BDE0BC0ADF78E4C01AFC2BF91CD4FDA77FF45C4967AA556646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027678Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:03.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821478A565C1DC6D5CFFDC85CFB0A87A,SHA256=85E95E6267951D2FC6A04D0C0F65D0A0C2DD41E0E0D670D4DE7B0A6FDD6DCE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027677Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:03.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3289FE2CBE669E95D18841BFEBAF981D,SHA256=ECE4E1A27C1A8BDD4DC6563A95330CD5D71ED117892382F3F9E45B97E2A4AE3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027676Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:02.323{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000890642Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:54.200{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52529-false10.0.1.12-8000- 23542300x8000000000000000890641Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:03.025{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA470283C022AAED7AE7B3FCF8723E58,SHA256=836EA9B931E2360193782D0E9007B110F12B5830BB071FD074D89FFF1506D787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890643Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:04.057{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC61BC03545C1A864ECC4ED82D0A98BE,SHA256=530498BBE2A7E1AB21D647E83DA2378C189589B07F1F998DDAF3C77BCEA8C72F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027680Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:03.364{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com32948-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027679Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:04.204{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287FAA818F054EE92D106F6D042B4D77,SHA256=213BB54C7B7D3D05B1468C05DA729E21A2E605C12610DF1D023AD298562D98D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890647Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:22:55.809{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com43099-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890646Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:05.104{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F669E8936F2511EBA8287FE10CE14B9,SHA256=E331DC5DC3C9F45E8FB93B5872265C902A91236350952C012A6AFCE6C284ADC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027681Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:05.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE4528258B6339F58B82F5E479E1FEF,SHA256=383F3574D144D0EB2FE790428D6E6FCB57954D8792453EBF896EE57423C5AE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890645Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:05.025{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B47C94A6EA86C5A10CF9F4D71E8DE1E0,SHA256=632A0F5F2393DCE9F00B98CC91BA1AE9932B7CFA84C011C6356E50080E2F445C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890644Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:05.025{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880781826A49FF6D078E1129116BF544,SHA256=07748BCEEA93FDF72C0F2495BD08B0BECD481C3F7BBD1D03CDBCB1FA269161A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890648Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:06.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A7013F02A22ADEEB1DBCB027015795,SHA256=027458B9F1505AA49E7A97E05927F4D42BCA530B61096BAA8D70FDE0A88F5B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027682Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:06.236{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E7AA5EA6AF486E68DE575FDD80FE94,SHA256=472DA0ECF4CD0ECC5DE8F21077F2F63064F18C8CA71880B707DE346CEAFA3F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027683Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:07.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D75E4FD808502D005AECD52A9CD13C,SHA256=B9C00083CE59ADEA1210CB7AAFC34642AD9A8546D4143585742D7A55F77C6E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890649Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:07.166{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D996E9BB08F286B7D63A60724E16C1DB,SHA256=6F95025D31CB81A590ED0D2ADDA7FCC815EB64A58C381EFF625CD9EEA05D8CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890650Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:08.197{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0544749DF44007247535F051C17E07C9,SHA256=CA2B209E45CE65BFA700A08C0F3446912B84285CEF4A943C2C9DE6470E05FDFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027685Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:08.354{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027684Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:08.267{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D155A0CD7DAE66A1950A74A78F22C9,SHA256=A65FB4685D29C3737A920AD631E6C3B91DDEE399ED666E11755C4DA136BE9CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890651Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:09.244{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6D7B87660C3CF20A11A2E43174F9B,SHA256=EC654232D213630B7BA3435BE63CB27475C9334B8DF704040167850F939403BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027686Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:09.270{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB16632DAE0655145672C51D3A68D7A0,SHA256=93AD75BF59CC28A055865613961F815FB422DCC0110DD9CFBC211954B65979FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890653Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:10.479{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247567530D693144E28382448825EAE5,SHA256=B8CD1DE5BADFFB6258D97B2731AD23F1D8C53479AA5B1569DCE822E92A10FE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027687Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:10.283{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A682626CA15399F6E0D957663CEF7083,SHA256=59AD9CF5B2783578D8AE1D0FA13D323AD8CCBECE9B9A9512F56D21C566A8159B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890652Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:00.137{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52530-false10.0.1.12-8000- 23542300x8000000000000000890654Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:11.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E646373D94BB72BB39B4150BA36AB5,SHA256=A9C4E2B0150932EB3A9E608E9FC5573D81972E78F526B665210D55FD92545CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027688Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:11.286{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BD02185DDE0EA95F971928BA9C45FC,SHA256=68DA3164FA2AE9DC1957991C3373F48737CC478463CCE3EF8CCACB1ACA642BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890655Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:12.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5387B34A977D5409715DF35FAA1EAC7A,SHA256=23F83FAB3A19BB63FFE3CD51D2C90D89A00066844B6CC37FFEDE5E64332799EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027689Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:12.286{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E57E4BD1182854ADFAA88846F6DA8,SHA256=DD50D6FBE2BEC0857A30CEB995D564AF66941B3B1F8E758138B42411C456C8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890656Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:13.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A76F79C875CCA8D672E3B242F50B39,SHA256=098C1B1F759A7563F9D929BE8EDA8FBE74267E77E389162684639AC0B3A831D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027690Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:13.302{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC208CE58024D07C97053C569E85CC6,SHA256=1CF7430B9844D9F8B645CE7901B72000D2C234AE121FCC7415D58F758918D7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890660Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:14.572{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AE22255E1A98CB55C719E35E5FCE72,SHA256=34811FA49AAF1E3C1B0385187F085E1A164BC7CA31C6E87BDAF286350695EA8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027692Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:14.279{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027691Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:14.302{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93398A3286D58FE95BEBDA410F59A350,SHA256=09CE56AA39F1A21A65FE56C82B03BDED30248C96BA805063450F2FBBF25B2C43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890659Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:14.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890658Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:14.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890657Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:14.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000890662Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:15.635{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC85CA6B8F4BD634976F86BE2D4DABFE,SHA256=DFAD60A8D61539E0A906461DE871DB319ACD3151E15517FE60F10DD3241E0A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027693Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:15.317{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F870F7136737A19DB1B6C458D1D2267,SHA256=E8ACF71D6DE7CD23ACE135997BCC093FA60D3FBD680DFCB758FC797427B1975A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890661Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:05.246{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52531-false10.0.1.12-8000- 23542300x8000000000000000890663Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:16.650{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C291A06BCE334F89F5CD8D7B48394720,SHA256=2668135386A4D299FC042C5905F73370629F799677B2E276A1C559B27E80877F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027694Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:16.348{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8207AE5B189A4E86B0A16B2B04B12A1,SHA256=7624397BCBF7DE24BEF01E00459AD270D4A66F4C9873524AB61823277ABD16CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890667Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:17.650{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D4863578959899B4720D50383CB32,SHA256=17E63EC1F2F063A850F91D643E29A6E8C1626B88888F8B0C708530B9676C6B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027696Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:17.848{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F7F9EC36AD7B09ACBD6C6AAD7ADEC140,SHA256=611E718DDD11BCD0BF863285037D7EC4CD8976639F7F383CD8E64A78ED034A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027695Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:17.380{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75158F0C7C00929F3A0D9193C98C884,SHA256=6392A852D1F883792D5C446B4126EBFDEB43A59B46A18C8B194602D897036FFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890666Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:17.072{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890665Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:17.072{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890664Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:17.072{D94AFF6C-6DD8-60FA-0B00-00000000E701}6322464C:\Windows\system32\lsass.exe{D94AFF6C-6DD8-60FA-0A00-00000000E701}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000890671Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:09.118{D94AFF6C-6DD8-60FA-1700-00000000E701}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52532-false93.184.221.240-80http 23542300x8000000000000000890670Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:18.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0263D7F5246712878297118B464C1A0D,SHA256=C552C2D80156EF8051DBB8DF70A55CC9740D05668766091A84C111F546A96B24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027700Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:18.216{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.15WIN-HOST-70257786- 354300x80000000000000001027699Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:18.215{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.15WIN-HOST-70253824- 354300x80000000000000001027698Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:18.214{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.15WIN-HOST-70256756- 23542300x80000000000000001027697Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:18.380{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84C473D1CE9B5A076AE9F9DC8CB5095,SHA256=BD0D0A2BD0DEB030BD9AA943BD01660A5ED785B1AF5513035BE8721F85ED0367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890669Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:18.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4EDE245C4B2AAAADEF73DB36D4859097,SHA256=9D23D27B36C6A7C94929FE81EB6096BBFD941C21D71D2FDC7A57220B4797434A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890668Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:18.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E9818F311E5C33F6E90B8E3A0DEA77FA,SHA256=444EE4FD71C8F9C3643055F8AE969124369368DB822412F116C8DB244DAC9616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890672Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:19.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB06D942FF52ABFBC9EA3A8DD6715F2,SHA256=4AF3D6CC1F19E93CE1FDCD88C28AFA86807547DBFAC1F6E34E59E8BD1765154E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027701Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:19.395{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009BF7779B09A1C3BADE0CD69E0034DB,SHA256=4FE28CCF09DFF29CF59618EF4DCE12B58B21932AEBAB5846BEF0A0E2E1748DE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890674Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:11.215{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52533-false10.0.1.12-8000- 23542300x8000000000000000890673Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:20.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E2332C3A7262EC88540DB7CA78F41,SHA256=7D48D76E90EE56005A78BE371207092FCE1344B33610A01342462B3B0B50F357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027702Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:20.411{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE74F253E1894311804BC7DAD5481D2,SHA256=F327661D5441D7112A071A5C58ECA207AC201EA0C8F7AE42B61E2A1FF5D44D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890675Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:21.697{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7797DFC1283F6EF6416B2DF9F9F8A22D,SHA256=E6CBF8186256A85734216ADB5B1F41D147C1ED132E86A64B84FA8C335EE526C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027707Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:21.411{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F5DA36599C482DC4308E39292777D3,SHA256=B1D0FD9A237C3A4BF93F4B10F961D839BB967D81037759334FE92527122F058B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027706Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:21.395{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027705Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:21.395{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027704Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:21.395{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001027703Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:20.232{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890676Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:22.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B06693B08B647A99C339CE95098316,SHA256=BB6FA0F02FB590E64D4ED4DE55843878C58303A538045552F126B3D59BB7DFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027708Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:22.426{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516616E947FF1EE8785005A828EDD107,SHA256=251C4C780CD3A5B57065087E692329D1689E731ECB2CA4FDD062589EF786B977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890677Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:23.729{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78B124424C134D2A9025F154D08552A,SHA256=A4710B140BE5E8E4623737266552A4E5D9C9BD2A00B59035967C1D2B47D89F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027709Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:23.473{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8084268B84CCF717FF7A5728EB49C445,SHA256=D8D02321B27627295C39613A6D0DDE522848E41DAB075CBD34AEDA6BECBC4DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890678Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:24.744{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441E9F8BAAA8CBC23BBD9FBB9545B30,SHA256=67B1F96B0C66C26BF64BAD2F649D64B126755CDF6EF258F6A0D32BCEE6FF2386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027711Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:24.989{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027710Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:24.551{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF71B425A95967BFC028AF99AD1E33D,SHA256=7851FA43B9C036210DFDE21765F23B8017C4ECED744D47E3A75011DF0C6A0177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027712Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:25.551{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4E6777491E45B109FC67DE8FBC8571,SHA256=F4CF1CCF4322F4624D251402155093888F7BB6DB777968F02C7C617B681A31E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890679Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:25.760{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE750E748B0BC1D7C889597B70C8A5,SHA256=454F32A9D27572C98AEB4661923C792F5422F14759ED7FBA141E7AEE32A120F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890681Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:26.775{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263C9733E6263C3F58D69A4100C18A80,SHA256=EC301BA720238749476C37271E3B75D10843D3CB170D8E10EF3BB40BA93D8BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027715Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:26.692{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62061B57B873B59C4F444635EBA0CE9,SHA256=EF101ED8DD07FB01EA918066F167BBBA306B2D2AC2CF5D167E49F76F7EE292E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027714Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:26.108{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001027713Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:25.373{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000890680Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:17.089{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52534-false10.0.1.12-8000- 10341000x8000000000000000890695Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.916{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-70FF-60FE-A978-00000000E701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890694Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890693Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890692Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890691Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890690Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890689Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890688Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890687Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890686Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890685Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-70FF-60FE-A978-00000000E701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890684Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.900{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-70FF-60FE-A978-00000000E701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890683Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.901{D94AFF6C-70FF-60FE-A978-00000000E701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890682Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:27.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54E3954B258540B3F12FF8A17690FF2,SHA256=E90A4569F2569AB766E925CCF2A903FF0260710911471A01F7D4E30513D9BBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027716Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:27.708{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A9870609EB782B0D06B68DFF6A34B,SHA256=75F5BF4E9BAEFE8A342331D5476109E797FAB82042C49BFFEEB3ED0FD1C28AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027717Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:28.723{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AD7931F931E4711167C52E8E1E36CF,SHA256=1E166D2CA659BE8D52DBA29EB4F0C25DC2C1E6C9A71940D192197A155C96E339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890709Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.588{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7100-60FE-AA78-00000000E701}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890708Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890707Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890706Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890705Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890704Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890703Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890702Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890701Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890700Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890699Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7100-60FE-AA78-00000000E701}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890698Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.572{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7100-60FE-AA78-00000000E701}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890697Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.573{D94AFF6C-7100-60FE-AA78-00000000E701}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000890696Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.025{D94AFF6C-70FF-60FE-A978-00000000E701}23683316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027718Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:29.739{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C4FFEFEE74DC310ECCEDD88D16AA41,SHA256=A77385A66E09F68B15BAE991EA18222789CA7D3C509A6876FEA434EC2176188F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890738Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.854{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7101-60FE-AC78-00000000E701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890737Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890736Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890735Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890734Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890733Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890732Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890731Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890730Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890729Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890728Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7101-60FE-AC78-00000000E701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890727Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.838{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7101-60FE-AC78-00000000E701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890726Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.839{D94AFF6C-7101-60FE-AC78-00000000E701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000890725Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7101-60FE-AB78-00000000E701}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890724Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890723Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890722Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890721Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890720Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890719Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890718Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890717Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890716Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890715Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7101-60FE-AB78-00000000E701}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890714Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.166{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7101-60FE-AB78-00000000E701}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890713Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.153{D94AFF6C-7101-60FE-AB78-00000000E701}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890712Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B03896ADD09EC6A37D66CAC034CD0CFB,SHA256=C32C62BC0A5E720442A7E0EDD70A0B92C0639C28E52DE6F151502014EC007099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890711Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B47C94A6EA86C5A10CF9F4D71E8DE1E0,SHA256=632A0F5F2393DCE9F00B98CC91BA1AE9932B7CFA84C011C6356E50080E2F445C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890710Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:29.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92641BB1E82815A9138087BD2EE91544,SHA256=CA3674B5417A1A1EB5482C62D2F67BEACA121208BAB880E5D860B23490189522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890740Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:30.291{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44D754317D8D11CA40BE0C39E67C559,SHA256=823D0C600D2FB6E9DDCE59FA6A7CF0831DE6F17075E6573DC5640991269A226A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890739Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:30.291{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B03896ADD09EC6A37D66CAC034CD0CFB,SHA256=C32C62BC0A5E720442A7E0EDD70A0B92C0639C28E52DE6F151502014EC007099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027719Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:30.739{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F8273B39622A6F6C0A2BF6FFF2DF96,SHA256=BC10EABA29EA3B48220E5ABB173A5FDDEE998ECB5394AACBE314DCC672D3258B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890742Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:22.230{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52535-false10.0.1.12-8000- 23542300x8000000000000000890741Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:31.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9761484608EB93101B5B4A7AAE7894,SHA256=962DC265098D833A0339BF7F71F93E16265DFFDC9AE3674B914FCC1019150A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027721Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:31.801{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95AA17A1BB18BE2A700404DAFD3CD16,SHA256=BE6F3A0DF4E7475ABB6E66BF95B8B88738C11796A60A287BFD7D9F7DDB14B8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027720Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:31.279{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890743Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:32.713{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263150613270A3FD122CB73A1AADF0A7,SHA256=624817CD186A0F433C175A924A6B384F0987E7790ABE27FD0CA67804EE3159FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027722Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:32.817{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C952046E8C3055CEE2EA8D76B2A997,SHA256=7BA1FCB69B1B0BF07BB187BFFC0DE2EE317B87379BE398F023F13E05C5256A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027723Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:33.817{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0080921CEEC4681DD55F53D8DB1C3B1A,SHA256=1A40BAF3BC1A7F3A8E3FF52DA8CBC955A1C3A20A9FC95B92ED8FA7D625902898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890744Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:33.822{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73551CA7BECD0ECE7AC31FC764AFA4BF,SHA256=B57F9962AAC3B3C5AD2F20EFB3C75AC288D5E916F426E66F0417E6BCB4B154FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027724Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:34.848{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350E0C3AA9A2E607D3CACB2034CBE1B,SHA256=FA147DEE63982322B8BD6B72BA81C337EB0F2A2EF251D4BF541BF2840DA3C7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890745Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:34.838{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B019E1147B58D3FF5E04DE49E5AF06,SHA256=03382AE89C3C6E0C9D37335DA49872755CE2D3B1C8C9B6A3137CA4E0701184A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890760Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.869{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BBEAAF552D8D95E5A08D2F2BBA98C5,SHA256=88DD24214AAB5302BFD3B4E666895AFE94F5098B01444754CA6BAF836F5AFA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027725Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:35.942{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A0E2A0501111A4DD0ADF0069FD74B2,SHA256=8C55BBB52AC097C05776FB07E6D33170AE99C9D08B24C8076D6977AB3E48F985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890759Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.838{D94AFF6C-7107-60FE-AD78-00000000E701}1080884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890758Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7107-60FE-AD78-00000000E701}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890757Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890756Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890755Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890754Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890753Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890752Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890751Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.697{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890750Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890749Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890748Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.682{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7107-60FE-AD78-00000000E701}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890747Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.682{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7107-60FE-AD78-00000000E701}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890746Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:35.682{D94AFF6C-7107-60FE-AD78-00000000E701}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890763Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:36.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BC3C8E8AB8825C8C61BE75B02757DF,SHA256=78E00293ECAF4182AA9F996837218CD6976DA6371781836DCA07DE388E28A472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890762Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:36.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DF96AFEAB3740E29DE40210CE04B5F,SHA256=081147E6B947CAA1C9B93D3371F03A46797E0A58F2C7B5F9B11FC880952270DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890761Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:36.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA68A27D14E71A8CEB0EE2591D9CF2A,SHA256=06103EEB01B947A182E6FD116C189521DA85DC589471B9006F1469662505C876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890764Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:37.932{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C0B6B745034C7DED8A24D2ABB967DD,SHA256=C4D6E6C33CA1DC3BC364F3854E82FA0BC5747786C93A4AC0A78AE511197E6698,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027727Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:37.232{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027726Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:37.036{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EE80EE599358A91B31E4DE578A3242,SHA256=E9D1A83962A391C8016532D357A656041F4CF8D798DF8077C7EF9BF23CE91602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890766Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:38.947{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68339A45547C442881ED0A3CD7C79CCA,SHA256=E1FCF62A9BAEBB92EDC79F79E1DB7208D09ABC16C8D84DC627BDD3ED2D52F9F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890765Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:28.136{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52536-false10.0.1.12-8000- 23542300x80000000000000001027728Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:38.067{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2340DEE458F6E3BE18A2E317839A15,SHA256=C6157B4DF551F3AE79FFBADDAD6F4B7F3BC3D61F43378915F4CAE3B77A2FA8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890781Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F05A9D9F20519E0153F14962478E7F6,SHA256=47E266176373D3AD7516EC35EE867709E7D1100BB13C95A6DA5DB5E1306D59A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027733Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:39.723{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA634EC342B3A99EED318DDF78FF8E6,SHA256=D3F65580ACAB2273E2A8185429749B2DB86E81867C9BCEB0CDC8793A4BF24679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027732Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:39.723{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821478A565C1DC6D5CFFDC85CFB0A87A,SHA256=85E95E6267951D2FC6A04D0C0F65D0A0C2DD41E0E0D670D4DE7B0A6FDD6DCE9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027731Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:38.708{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.29.139.34-14328-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 13241300x80000000000000001027730Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:23:39.145{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f7-0x8951b1c1) 23542300x80000000000000001027729Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:39.098{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529176F5A97E9D91AAAF25B4E7C72081,SHA256=FAA90EFCCA52890B19F9E6A24A25B23551A7F823C1D5BBA5A89C76D3C12D364E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890780Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.791{D94AFF6C-710B-60FE-AE78-00000000E701}22562460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890779Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.666{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-710B-60FE-AE78-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890778Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890777Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890776Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890775Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890774Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890773Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890772Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890771Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890770Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890769Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-710B-60FE-AE78-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890768Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-710B-60FE-AE78-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890767Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.651{D94AFF6C-710B-60FE-AE78-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890797Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.979{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B0C7656A96938345FB19BA3B00F73F,SHA256=F7B759FAE102EBC6F1D94E3110F36E34A0731463AABA5A30ED4D1691C8BF861F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027735Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:40.263{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-56.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001027734Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:40.098{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9F88CF9A99501E9A519CABF82CAF0D,SHA256=55E5A676C5E3B6A051205DEF82797915FBB9BBE76CEF4C62A5FC33FACEA4D620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890796Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.682{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DF96AFEAB3740E29DE40210CE04B5F,SHA256=081147E6B947CAA1C9B93D3371F03A46797E0A58F2C7B5F9B11FC880952270DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890795Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.447{D94AFF6C-710C-60FE-AF78-00000000E701}28881892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890794Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.338{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-710C-60FE-AF78-00000000E701}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890793Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890792Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890791Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890790Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890789Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890788Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890787Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890786Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890785Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890784Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-710C-60FE-AF78-00000000E701}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890783Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.322{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-710C-60FE-AF78-00000000E701}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890782Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:40.323{D94AFF6C-710C-60FE-AF78-00000000E701}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890798Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:41.994{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B523EBEB7DFC7726AE95F144922FD26,SHA256=2FF265D9352D8E27E341E809C2011430B0301BD6086B38E68BC70F5A18824BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027736Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:41.129{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88CC29E2EDAC9039C3D31A24C3FE231,SHA256=67E2637948E1B6F85802F34CECFE13E1F61049A147C849395B9289C022E49B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890799Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:32.142{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-54963-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x80000000000000001027738Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:42.389{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027737Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:42.129{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10078537B133D3AACAAFA57A5D49C5A,SHA256=71470E95FC366816640812DA365D48E79A6ECA014D8BA4F7A02E5FA0FC0D4EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890801Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:33.245{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52537-false10.0.1.12-8000- 23542300x8000000000000000890800Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:43.011{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56EE13E3162009B5F5A0E877DFCB7AE,SHA256=CD7800A4EEF68C731E738AD36EBD470EE413B3F98FF3B0F51A6507DF077E05F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027739Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:43.129{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2EB51BAC40F932E3E072D89101F407,SHA256=6FA5BB7CF8EBED85F3C93760079E379C3DF31046889FC5F095D63C50E8F05FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890802Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:44.211{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F182E468704DFD3A7F7239E0DB1A3F,SHA256=02723F35441CDB72AA1BBA0E62F71C871ADD5BA303181EC412C4DF5A79FAB364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027767Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7110-60FE-3779-00000000E601}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027766Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027765Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027764Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027763Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027762Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027761Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027760Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027759Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027758Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.770{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027757Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.754{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7110-60FE-3779-00000000E601}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027756Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.754{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7110-60FE-3779-00000000E601}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027755Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.755{2E2BE06D-7110-60FE-3779-00000000E601}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001027754Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.317{2E2BE06D-7110-60FE-3679-00000000E601}21324284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027753Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.145{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E67C58B2E543C098D83AFCE1579E4B,SHA256=22D5E0128417185F5ECB0707D75F263535F4C2F29623A6D4DD21839AD5E1C062,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027752Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7110-60FE-3679-00000000E601}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027751Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027750Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027749Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027748Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027747Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027746Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027745Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027744Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027743Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7110-60FE-3679-00000000E601}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027742Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027741Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.082{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7110-60FE-3679-00000000E601}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027740Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:44.068{2E2BE06D-7110-60FE-3679-00000000E601}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890804Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:45.369{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC38159602B1DB77B573DCF2C49E15FE,SHA256=0C496DC60D8F250CA49DFDD5751020C23FB075AFCEE9B9CF97D5C3CCEBE6370E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027784Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.739{2E2BE06D-7111-60FE-3879-00000000E601}68125136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027783Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7111-60FE-3879-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027782Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027781Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027780Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027779Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027778Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027777Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027776Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027775Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027774Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027773Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7111-60FE-3879-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027772Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.457{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7111-60FE-3879-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027771Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.443{2E2BE06D-7111-60FE-3879-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027770Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.145{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E1ED3FC84B7C5EF4DD503D55A491F1,SHA256=8839907DD8C68A092BACE76546DE16ED02DD23B8BE653490062D3D8F68036C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027769Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.145{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F457860D8356CA92B36944478236A6E,SHA256=867F6A623C8FC2C827685F46DED6E40F420249FAD9559C2A946C3E16CFBA5EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027768Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:45.145{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA634EC342B3A99EED318DDF78FF8E6,SHA256=D3F65580ACAB2273E2A8185429749B2DB86E81867C9BCEB0CDC8793A4BF24679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890803Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:45.353{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4E45A8289FD7E118443E7E058F53A79D,SHA256=99B377C2E91279AEA1C943C8B3B7731AC7BAC7568CED675A4C26607764DA7CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027813Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7112-60FE-3A79-00000000E601}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027812Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027811Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027810Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7112-60FE-3A79-00000000E601}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027809Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027808Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027807Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027806Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027805Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027804Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027803Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027802Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.832{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7112-60FE-3A79-00000000E601}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027801Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.818{2E2BE06D-7112-60FE-3A79-00000000E601}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027800Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.473{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F457860D8356CA92B36944478236A6E,SHA256=867F6A623C8FC2C827685F46DED6E40F420249FAD9559C2A946C3E16CFBA5EF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027799Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.395{2E2BE06D-7112-60FE-3979-00000000E601}69926460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027798Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.161{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7112-60FE-3979-00000000E601}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027797Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027796Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027795Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027794Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027793Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027792Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027791Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027790Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7112-60FE-3979-00000000E601}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027789Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027788Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027787Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7112-60FE-3979-00000000E601}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027786Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.130{2E2BE06D-7112-60FE-3979-00000000E601}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027785Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:46.145{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF70314E902463928B3D1C3C8F44E88,SHA256=371B4D47F73B35374FE30E25C5D5F5AB31B863EC2F6D22E5A8E7B93CFD29B592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890806Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:37.542{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net55167-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890805Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:46.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0730D0438220985A3AFF35B531EE3C4C,SHA256=CBA9DFD44019B122B2BF7EFAF68ABDE25050B43B26404BCD86AB6F4B0D92EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027829Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.832{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57B98B21571D6515022A3C3F7EC27181,SHA256=3C900B2FC40B82905E548B1FFC13F008940B44974291010E1E12140DE2CD79BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027828Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.723{2E2BE06D-7113-60FE-3B79-00000000E601}24483332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027827Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.661{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E681CC7C6513CA64D5B6A2E2A86BB47F,SHA256=537443734C904BAB09710CC9B73031614A675524BA33CF09614A1977438A7213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027826Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7113-60FE-3B79-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027825Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027824Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027823Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027822Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027821Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027820Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027819Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027818Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7113-60FE-3B79-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027817Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027816Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027815Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.520{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7113-60FE-3B79-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027814Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:47.505{2E2BE06D-7113-60FE-3B79-00000000E601}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890807Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:47.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB61C83D0FC38AB087FDE9ACB7E82E3,SHA256=BF3808757500B11211BBF5224091FAFCBE7F378F2D079CC2E3DACFF4E4549D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890810Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:48.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D7753CB516E00CDC10882F12FE3C65,SHA256=DF607AA7FD73FFC37C8FF58BF3381D1A1E0BD04383D1D21EFEA4C66FB14ECF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027830Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:48.598{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82697617F652F9C38E9EF603DF6479C0,SHA256=470137E1D01BBF10DF150A31DF2C121746C1EF6FB47655358748CB6EEAEBE3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890809Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:48.228{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB65C94E76126EC2AA60149AF3291D7,SHA256=FF92ACD8EDED030C0F38C5E8E79F0486726A84195EB7341E43B1EA04A7E28E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890808Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:48.228{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F5ED75B674BA0325608A56F94E87837,SHA256=CA8D3A31BC228301F69672BFE2A767F836B52CA8704838055DAE0F6E3746B58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890812Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:49.635{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C075CD37CBB5E3EBE3813C0F7DF9479E,SHA256=9784969CE0D9ED6A8164F6A823A147962344EA797B4414AE48617610554D2EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027831Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:49.598{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD5A8301B97BC603D8C017AACD9A77B,SHA256=5DDCEB14DC6AEFECF1EDDC1719E4B53237384C83BE65260DB68229E8A3689DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890811Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:39.104{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52538-false10.0.1.12-8000- 23542300x8000000000000000890817Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.963{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=68159375A537106E5AECA62A3A47948C,SHA256=27E80037836743617C717E24F3A0A86D25DCA22FD50F4A6F613D3A83BB21065F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890816Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.963{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=520CB741676456410B108D190AF78361,SHA256=14F40924E595DB77AA90EDEBB664828CC952D25FB68BB67A0E05959731E1E0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890815Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.963{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=F089E52BF9B9A233852574ECCFFD9BF0,SHA256=8FEB1BD4D1B244322E0E127D9810F383E9D34981FE6A691C7E8C1D756A1B0CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890814Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.681{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BF0F86714B388F13C5E0937E737360,SHA256=10E3B7AC837A959935E4165870ADC60F48777215C17B34385AA2AD252F40EDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027834Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:50.801{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34186F07C6E3E5C2F7DF20DF81A66AF2,SHA256=8372166F02C2CB97B75458DE58C667D0CA07E12D183609043E921814E71A325E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027833Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:50.614{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245F5976B93F66E106999DC706310D1A,SHA256=3BF4C9959B8689B8E508ED975E135057C19AEEFD1C3A4428C98F60FC643E1344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890813Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.119{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027832Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:48.279{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890818Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:51.900{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01C1CCEDE11CD181CDB3A5C9393E7A7,SHA256=A3A344C008DD5BC212549CC3B50C02BDD8CA13F55375970D96309F95370F8D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027850Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.848{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7117-60FE-3C79-00000000E601}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027849Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027848Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027847Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027846Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027845Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027844Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027843Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027842Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027841Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027840Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7117-60FE-3C79-00000000E601}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027839Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.832{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7117-60FE-3C79-00000000E601}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027838Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.818{2E2BE06D-7117-60FE-3C79-00000000E601}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027837Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:51.614{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABB28AFB24348B7E541356BA98FE6D0,SHA256=A3A5CAABE2EDFBB792613B7E322C8F7321A5365FFC0E452BC9BB7F517554DAC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027836Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:50.686{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57402-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001027835Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:50.686{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57402-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x8000000000000000890820Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:52.994{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC612594FB51040060EC4F44F5D4449,SHA256=C482EE7D785D24DC3D1478D37975C8128E76982DA260C1872D970BE9F08E063A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027852Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:52.879{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C51D880885CDAEDACBBE4150B31CAA,SHA256=6CAC90028E53B37ECAB9094B1672C545D1F7D37C06AEF316634B44073A0EC67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027851Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:52.631{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823337074830DB950AA10EE60B90C030,SHA256=0E6C22A21E9E2BA530D659D7554677EF81F326F3605A9437ED375A7B2C7F7A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890819Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:42.135{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52539-false10.0.1.12-8089- 23542300x80000000000000001027853Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:53.645{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AC653061E145EC8CF8B13B6439C612,SHA256=F5E63F3EA887B45206C1FCBC902A06DE710E401E632C82DE21C8DE0B868F0E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027854Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:54.661{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688740A07BA2E45526BA1947EC8D4F33,SHA256=725DE2FF5E87776DD75F8D266241A245FE6E052C3ED9335109F0503178AAD969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890821Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:54.041{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E95D9AB51B33539CD7F3A27873B04D8,SHA256=036B0AFA77251858980B60898A4C2744AD3065754E0C11EE881FCDF40935355C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027855Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:55.707{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B830546713257B02176D7B3AFEF4D86F,SHA256=FCD09D5E063D11F8379C6909F6B989EEB9D761C63F1D0465023CABFC66CE4649,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890823Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:44.245{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52540-false10.0.1.12-8000- 23542300x8000000000000000890822Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:55.072{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E91583E9CF29481B0832F0E10F3351,SHA256=4AC8A393EDABDA96B3748A5C34C42B8290FC5F1B599175F4B9639B7CFDCC2F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027857Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:56.723{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01283AFB4EBBFBA74D8FF9A5EAB0889F,SHA256=0E12195CE24EE812434FDA2F2E856A01F12AA14EEC6178D8BC9196CCC8994DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890824Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:56.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998E4D28825B277F9CCC0657C3C0ED1D,SHA256=F7FC371C72FA8F43B9CDE4AF4C2BF3721267D5264430623D2131A69078AFCD29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027856Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:54.170{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027858Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:57.739{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F20A93FAB481B182AFAE99BE40CB8CF,SHA256=E2AA50E5CA6152CA1A77382DF17BC563A3AECC827924594A2CAAFB80568E2895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890825Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:57.150{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E875662502D203ABE39AE023764356,SHA256=5D24A213AB30875F2943CD86A17BA668DF7011CE79E54F4439ECE4C971F215DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027859Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:58.754{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64357F67059C325B12F97D31DDA00A3D,SHA256=2FED039B29483B1101E8F9291D68F93FDB462939FC9F613F744F46E47841786E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890826Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:58.150{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2380317D2E4B2F3E40E95CCB4E2C94B8,SHA256=6F7B6D8DC1CEC66DFFDE0F63F9123C14FD6C5D0DCDAB438D8E584C135E5C7B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027861Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:59.989{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7775FA82D8ADA60023A73BF4575FB93,SHA256=4FF36CAA827DC030CFE689A90B91039F29F28622452A06E2132CBA2107615BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890828Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:50.213{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52541-false10.0.1.12-8000- 23542300x8000000000000000890827Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:59.166{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B64F1BB1748EC7A10E147B38FE0B635,SHA256=969D9B293E0F85DF35F175818B522B6DB2E3D46DC9FEFB45EA773C23BCFF2B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027860Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:23:59.248{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000890829Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:00.181{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924BB6359B84EB6D6304D0FBA79F3283,SHA256=3A50B42EEBFC9B8ADA1F2EA8FF1AE269A203E50335B4420DA767CD85FE3EC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890830Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:01.197{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A3CE6D35E5F7F7C1E3C52A726D83F5,SHA256=E39827A4FE3AC628A5808BCA30ADAF74A54E265926F22294FAA3A8029D9D6829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027862Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:01.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6C4AF26C6CA328EEEBFF47DD39B9C5,SHA256=5CB9325255B67942A2C7BBC84C2EE7166141CA0009341C419252BC024E3B8B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890831Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:02.213{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7BD8F9FE6BD46FA0D47EF201AAE552,SHA256=34E973E4AE0AC6BD4E3C094EA3A47F8437AA15E4B13ED21145D4131BFDB1EDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027863Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:02.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FBE354F686CDA168537707F319850C,SHA256=C17DFB3E403FF78D6C11801A962BDFB9DE265480463A97DD26070C500F4E9C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890832Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:03.228{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4D06192867C118B3EC37909C55781D,SHA256=99859095B1B17D07A3299087CC716C597BC7BED22091974E154B415EF7487132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027864Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:03.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB486169659BB13B4698C0A2B6D6243F,SHA256=74E1B0AB6DA5F77C4552EB2D858E2EB6445E5FD9FE19AFBA7EF67495EEC22BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890833Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:04.244{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8387370F37AEE2ABA2F2D5C5AA929B0D,SHA256=C801F9071D57D2A26D237CD2375BB437938CE2A6D231BB439F872EDD0CF66743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027866Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:04.357{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027865Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:04.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E546E6C5678FC24E8442D03F182E1A80,SHA256=EFC52893FC5C3082DFF5E285C855AFD76EEDC2D530BC1CBB336450DDAEBE66B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890834Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:05.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BF6007C2BA799813909C424809EFEF,SHA256=1835C27CDBFBF4642857D1C175170F2DABDCFC5833C9A8C4999777B2C98A22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027867Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:05.067{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A22AE399B679B959522B4B70528C8B,SHA256=794AD1A3A292EAA59A965597080DC6A2DE88B2EBE4E45497FC25E6E3B1B66BAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890836Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:23:56.166{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52542-false10.0.1.12-8000- 23542300x8000000000000000890835Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:06.275{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5939E8F9FC626DFDD91FB604A80DD4,SHA256=2C9F13D09222E20997C352D6337D5262E378F1B0FC0917B0C9F3295AE432371A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027868Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:06.082{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61B532591FDCA592C92E8E00352D753,SHA256=D059ACE193BCC5A2D9DC82B8D1004DDF22E1DE7881F8A27F1B6C5E7E430E4597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890837Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:07.291{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FAC58F7EC146E2151154371D3FD990,SHA256=3D6DA82510536E33CFC014680274F7991B72E5E2ECDF75903A737691D2BC612F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027869Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:07.098{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F84784C1686A1A4DD945837FCA85431,SHA256=CFFB576CCFDD5F21A93922186D011FD07E0AD837C463484F077054BCBA00F59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890838Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:08.306{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F833D0E4BAFE637B9027C5CCBC17A8,SHA256=FAEAB33B3DEB3761BA1311E2CC52EAE771FC7A1155BDB3DF97A880842DD4A3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027870Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:08.098{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C11D5893D6F1A9CB03F59075678553D,SHA256=DF70F219A2433A8B33A776DBC0CD3985C0520A15EACB766303B8F9670B3CA132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890839Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:09.322{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F1E9295DB3A1A1EE158333CAEA4888,SHA256=804998625B741438AB9B09BCCD76BAB19EDCC7F0390DD835E939977ED30B765D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027871Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:09.098{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED58E3568BBACD0C39C1FCEC5C0C72,SHA256=6CC8C211133519FEC0E506833DC999F756D4524626471E188D233E60334C77F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890841Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:01.197{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52543-false10.0.1.12-8000- 23542300x8000000000000000890840Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:10.338{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8D37EB2D646218DCBD7392C6A7B699,SHA256=FC696EC29F91158004EC69690EBEA9DF2FF0230C444BE0D50B7D38D0CF5965E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027873Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:10.279{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027872Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:10.176{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132AD10A275E32C572A4DB2CD4DA5B0D,SHA256=85DC3556E508F03E1F90B83040C5CA69ED2E7A3DE8602B1AD94EBE0481EB988F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890842Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:11.353{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096AB6DBFA77ABA513B5F1D90BC65C26,SHA256=4C00A532C568CCDC4F5BB7D07C4F65867D1F1CAC3BDC5D9029E7EF72F8FE4B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027876Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:11.837{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8346F4001F103DE44DC4CA0DDC8130E5,SHA256=AC5630877FC0713ACB728FEA6A582DD0FB6662CC10F8444417B25504D6C4D012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027875Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:11.837{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=215D3DC3312AE79D105ECDD247F5F30B,SHA256=39B5B5AEA17CB0B008F4B077EAFDB0BE7EAAC1C96DB33740217EC100F2A80560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027874Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:11.241{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02538B5C7E24CBBD1595FEC89223477,SHA256=6FEFC1DB27CA50E993425FF4CA364FD28D317FB2B607F7E1B06BDBB52C95CC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027878Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:11.844{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-21528-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027877Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:12.243{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C8512787186A15764BAFA12F65F7BB,SHA256=E18CBDD0F4B1974D983B5048589156E202A69A9E200694BCA822E31799953637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890843Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:12.369{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C788A1986334D35F4681A39971A996,SHA256=22602B081419507B0E1E00063D030F665A770E73C3F346B04FFFDF78DF80D91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890844Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:13.385{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670BADF466EF1B8BD7171466A6403103,SHA256=5F28863093DF1A74163EFC628BA337BF7E7555EB81999D851ADA86B8C12E157E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027879Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:13.262{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C52B4EDAA14A8DD0A8FC898CD51E42E,SHA256=76C08053CEED509086D4A9D0825823F7E27D9BB57EED213770CCEE56762D1F8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890848Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:04.760{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net58055-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000890847Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:14.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=119740DACC9ECC6F8C733AD1A2A3C6FD,SHA256=734ABD759C68DC3C169ECA2B0886B4616F97DC3CEBB0AA5920FF8C98CD2FD2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890846Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:14.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB65C94E76126EC2AA60149AF3291D7,SHA256=FF92ACD8EDED030C0F38C5E8E79F0486726A84195EB7341E43B1EA04A7E28E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890845Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:14.400{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A72EBA80F9CF1EACACCFD7AD9447A2C,SHA256=1BA527E2F1B90356D6ADDF1DA8CCCD191F9F23A77F89A4BF80A84E6D1EDCFF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027880Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:14.262{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF3C117C6FEA966B2315E11245C65AE,SHA256=C1D929C770566B35764AAE1F803D8F553D3083D42B8B56DC01DDF3582EC9FB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890849Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:15.416{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD2413F2AA5CB7B1474A7A1F6137C6D,SHA256=1729141AA7EDC1E4EA699D9781D3452FE1471D6ECC79E74921BCA218AE94C87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027881Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:15.262{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A2BD5863EAA9975C868B6DD4582DAF,SHA256=E282AB638246E34A19B4A2A94928911FBE94CAAAD1325E44016C9D091BF5F61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027883Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:16.210{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027882Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:16.262{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC67F0377B29EFB150482E6BB507E9F,SHA256=8519ECE5BD9A652037662C008CEDD976F45AAD02DAE1305437BFA6D1EA78E956,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890851Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:07.166{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52544-false10.0.1.12-8000- 23542300x8000000000000000890850Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:16.432{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57A1D1DF96EF8A6C4DA2605C39ED08A,SHA256=A868A9A2C235DC1815DE2CA7B656C90C110DB488A43366E0350F0E2EF425B03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890852Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:17.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A295569AFEC02D33D449337E1DD402A5,SHA256=CBF4D58767BAD80EF2FDCA218273A6CE7B95827509A353CAD23308129FFDF46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027885Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:17.856{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=090A3FB115A00208EA5B6CF84C2D9511,SHA256=88018406F1AA487CB8392CEF0709A703E68127BF9B877811D9AD01CEF20D8BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027884Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:17.278{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEB6F501CB023CD2720492AA6001697,SHA256=F4C7ECFA26FE5E82D44EF09AECF0A89842BD9867CFBC433F16A5113C2E78D679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890853Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:18.463{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E6A60A5980E6ABE072FD7374F76CBD,SHA256=E90B8BF062FEE953B7CD505780073F974FB2DE8DACAA9B12EF5BE054A89C53AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027886Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:18.294{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9157C9EF92C3765F9CEC670F2A52BFAB,SHA256=31DCDF893A080E2B87F251631A03B03064C1A22F936B143652615CC9098ED6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890854Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:19.478{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8416E1E685ACC2CB6DF49E5A5A43BA2C,SHA256=281F1F8B48E04DADD1E8E40B992743EB7685DAC83D3C369AB06FFDE55EEA0728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027887Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:19.372{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CD03E21FBF2F7FA7A5678AADEF3607,SHA256=F6DDF313F5521EA0BC1E69940460EF4695E05DC97D8FA72B6D6B7DE928F42645,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027891Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:19.556{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com17561-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027890Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:20.372{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADD8340F28CBE184127B59BA168BF2,SHA256=EC3B95D96F96ED1855B13BFD6BD14AEF536284E2D9525A081F52397E0C084D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890855Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:20.494{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD180A8B1EE8514D2D2C3FC9230F547,SHA256=8B5F9529E73991C3260742E25FDBCB9E1D1D7E1CF601C97F885498CEA7733EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027889Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:20.012{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571176E3097F7C2D1FEF11D2BAD42FF2,SHA256=9DF566A1C3BFFFEAE751A42AC1A95299C9CC397294F05E1587D89293B817B337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027888Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:20.012{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8346F4001F103DE44DC4CA0DDC8130E5,SHA256=AC5630877FC0713ACB728FEA6A582DD0FB6662CC10F8444417B25504D6C4D012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027892Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:21.372{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFA52F7B9B9242B4D812FB93C36C67E,SHA256=B61DE81CFAD2684C7714CE1E0E6C38C2865985D4A119D96B70317D7E2E659868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890856Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:21.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3414ABF5163D03A2FF9E41805D7869,SHA256=B90D43CB2CA49F73AA7A3F9820B4697D2D2A055046D2B21ABCB5943930184E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027893Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:22.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081962058E2C8813644631591F317F6B,SHA256=276197ECC836E134D1574585EA78093FB7EFC22AA37C894257D2FCD6DAB7AA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890857Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:22.525{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8831B09B9165E8630EA3FB1F707B357,SHA256=676388A8DCB4A0752C447CEB2A203B1A38D3842952D7FDCC88E4508444A2AD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890859Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:23.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234D0514643CABC3905541F2A91299EC,SHA256=1F09A66E95AF07EAA6AC9CD0085ECBDED6EE45FB4894ECBF48E2342B2808B879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027895Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:23.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50752EEBA2DEC4AF149F02C233F330E2,SHA256=27F5662B28804310C0A5D0E2F185D732865C695B4AA25726539CBB7E1E31F04C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027894Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:21.366{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000890858Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:13.119{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52545-false10.0.1.12-8000- 23542300x80000000000000001027896Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:24.403{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAEF37E2E0E6B31EF5A721A59BB8614,SHA256=062535E37ECD51291D84FBFDBB54ABC265EA3005B249A827FF26CF4B76057555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890860Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:24.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173E8CDA988B010F0A95C7787A0131CD,SHA256=7723CD14BB41A438CF629619D9CFD15B6A69D62FE3426B6F82FCD83E7435496F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027899Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:25.403{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C236BC7B9EC2996B817C9EADDA4177D6,SHA256=9E3DBD696C03E059273AACE2F5957E0C8D2AEC0FA746B08B4AEFF765256C8EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890861Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:25.572{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C792D549519A4585EA6C3C224F321E3,SHA256=8A784AAF9CAECEFE6D72B4D3FA3B49FB3EBFC04AFFAA9365E15F768C6255BD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027898Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:24.876{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-49846-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001027897Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:25.012{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027903Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:26.419{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C80B016FE726BFD173A5B06043841F18,SHA256=A5DD51ED4034187DA81C857286690055AA8253FE0C95A32C80483DF94F87CC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027902Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:26.419{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A88A7A1F94797FAA4738621EA3DD6B6,SHA256=1D337ADECEEDFC6B38E6401C6A6B28990C59C4E6D692B9BA06EAC04A5609147E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027901Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:26.419{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571176E3097F7C2D1FEF11D2BAD42FF2,SHA256=9DF566A1C3BFFFEAE751A42AC1A95299C9CC397294F05E1587D89293B817B337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890862Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:26.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E9267E0D3F759A453BCC5B5D26BC04,SHA256=672C6A677699C5F8D009672AD3461CD425EE56A04D5151E467FB4FC53D446BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027900Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:26.131{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000890876Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.885{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-713B-60FE-B078-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890875Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890874Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890873Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890872Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890871Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890870Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890869Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890868Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890867Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890866Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-713B-60FE-B078-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890865Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.869{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-713B-60FE-B078-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890864Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.870{D94AFF6C-713B-60FE-B078-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890863Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:27.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0063D1A144CD8B1407CAEF48C70C6328,SHA256=2E062FC9D856BB1013F64B028E7EF41EB94A79CC4DC4B5C8D97333E6B8E767DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027905Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:27.419{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E1CC270357B8AB02EA401A954DC0D5,SHA256=3D9BD6D8F080B88FAE64811E0FC3096BFD6A18099DD3B271CA5E8E94586F8F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027904Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:27.272{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027906Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:28.434{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC5A4FCFC06562A4A46E76B8BB4AB2,SHA256=F1E5FC16E5D02B34180FAAA047804A30824938F6F6E0BEFED83FB1FD5B44BA06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890890Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.556{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-713C-60FE-B178-00000000E701}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890889Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890888Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890887Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890886Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890885Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890884Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890883Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890882Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890881Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890880Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-713C-60FE-B178-00000000E701}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890879Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-713C-60FE-B178-00000000E701}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890878Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:28.541{D94AFF6C-713C-60FE-B178-00000000E701}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000890877Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:18.259{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52546-false10.0.1.12-8000- 23542300x80000000000000001027907Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:29.434{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE047ECF34DE2B9DAE602E3F5D1B3C3F,SHA256=2EF6C4D3D2C1A8984078FEA69B99215747447384204BC54366882BED42C78E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890920Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.900{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-713D-60FE-B378-00000000E701}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890919Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890918Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890917Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890916Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890915Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890914Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890913Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890912Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890911Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890910Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-713D-60FE-B378-00000000E701}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890909Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-713D-60FE-B378-00000000E701}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890908Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.885{D94AFF6C-713D-60FE-B378-00000000E701}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000890907Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:19.877{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-10449-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000890906Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-713D-60FE-B278-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890905Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890904Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890903Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890902Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890901Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890900Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.228{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890899Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.213{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890898Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.213{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890897Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.213{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890896Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.213{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-713D-60FE-B278-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890895Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.213{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-713D-60FE-B278-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890894Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.214{D94AFF6C-713D-60FE-B278-00000000E701}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890893Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0134D57587CF36AD9DF51B9D0F6FA103,SHA256=A73F7964B1670C5F72413D8A6AC1C5EFDF187ECB303EAA231881CA140548AFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890892Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=119740DACC9ECC6F8C733AD1A2A3C6FD,SHA256=734ABD759C68DC3C169ECA2B0886B4616F97DC3CEBB0AA5920FF8C98CD2FD2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890891Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290AF2DCD6042E31AA3146E6EE33CAE,SHA256=4B975D76658D3EFCB1C1198A9A70E55D6505D57B7B7D71F6DF8038233E866D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027908Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:30.434{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C6E1769457DE1D14D9645FB2CC4E39,SHA256=83447B224A41391C84C17EAFAAEDD9303BD623ACCFA099B9399968E52FD1FF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890923Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:30.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0134D57587CF36AD9DF51B9D0F6FA103,SHA256=A73F7964B1670C5F72413D8A6AC1C5EFDF187ECB303EAA231881CA140548AFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890922Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:30.166{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65293285A34497EEB49A2EF39A6F823,SHA256=1CE4BEDB8C8449A1223984867475F1BBA8F909882595B7750297C71D24383DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890921Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:30.010{D94AFF6C-713D-60FE-B378-00000000E701}28841844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027909Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:31.434{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C9205D4B3FEBED6A2E32E39D996E4D,SHA256=828B13CBF133FBF3250D751F75253D0357F744896A54DB829C692FC4A71EB5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890924Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:31.182{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69235A52460B564E3F114CC960480FA5,SHA256=1E9CA4A2521BEDDB7F4708BCC432B2BD1D87FCA89F50355E81FA2CE44C2D2B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027910Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:32.434{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E945F6CF22C29C01056C98291842611,SHA256=9D64C76B734FA0A23CE18F11352E2D4BB654A234E288195B5997656391D89B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890925Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:32.197{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBE258F4405013B06A5122504C4C031,SHA256=02F5413231784299FEC34EC6B6AB26BA40DEFED14FDEB9251A08A98E585B4240,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027912Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:32.381{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027911Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:33.450{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D013A6C966BAE1B41F80EABB2DA63D8,SHA256=39CB59F554108DC9B33D910013D01126F87CDB973DC42E9DE2DDA04D1A3734E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890927Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:24.134{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52547-false10.0.1.12-8000- 23542300x8000000000000000890926Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:33.213{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B891503456FE5C344D34A6239033E2AD,SHA256=F253EF2935131707ADD5EDCAAC62F4DB3B3079CE9A361DB9438161A7202A3E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027913Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:34.450{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D4F88E6BBA53AF3AAB7740946493BB,SHA256=61AE403D19D61765EF35C644D6980F468B6CBE2C0D33B31C4B87860137D12E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890928Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:34.244{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D5AA29346C053DA771D28BCDC881C2,SHA256=470B0E6E2B2CAC86216C0FD7945ED315C8C8260F4564CCCFB8EAE65D36991FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027914Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:35.528{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC3A972F04021EE32E6429E0B9E0C8D,SHA256=1F8985D0CABFD3001F1C6160D2218D9B5849CA9B732A5AE40CCE4F956B60B533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890943Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.822{D94AFF6C-7143-60FE-B478-00000000E701}12082720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890942Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.697{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7143-60FE-B478-00000000E701}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890941Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890940Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890939Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890938Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890937Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890936Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890935Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890934Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890933Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890932Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7143-60FE-B478-00000000E701}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890931Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7143-60FE-B478-00000000E701}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890930Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.682{D94AFF6C-7143-60FE-B478-00000000E701}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890929Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.244{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33CCD258329483C75FEDD1607393E2,SHA256=647E2501E90714EFF54E96D17DB307E6B7C9F20CC3EA54FD541DDB633EF193EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027915Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:36.528{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AAACECC09A72877EBAFD80E02D70F7,SHA256=BDAD79B896E42FD9E0461397C3F15724142698058440E32CB22B3A6D129EFAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890946Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:36.697{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE121DA67417C9714A764B65F0803AE,SHA256=94770602494DE7042C9C76E44D7B7959F69EC6F77C75E0A009968676CA95B836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890945Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:36.697{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32CB9EAA5EBFA9C777E35C74C1C7F09C,SHA256=85F7EF5D4C88AFF7E832776B36307D210C612EA523D44C19A4F304F4D69B059F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890944Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:36.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B53FC573EFE7ED237EA30AC92BDA63,SHA256=5CCFB839177ED6AAF64B48918B23141510CA9E997432FBEBF037C7D611CD8D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027916Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:37.590{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E6ED54BD1B8EE2DA61046B9BF638FF,SHA256=6719472B59D66DA93E30F50E0A978653316AE03DC0E7CF2458398F8841B06AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890947Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:37.291{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF37F88F9A139EA875A5096FCF6FD83A,SHA256=457819F79555A5B708B4EF2C49A0586892841DBBC143FB74923D70463B9D3C5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001027918Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:38.288{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001027917Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:38.607{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857CD3D5D5640A2E10AE6EB85D1BC388,SHA256=88747B149228084418C2CFFE525D0B679C45B1954446F9B98D2340DC69131A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890949Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:29.290{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52548-false10.0.1.12-8000- 23542300x8000000000000000890948Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:38.306{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF30AD1D1CBD5AB1772D0C4296652BBB,SHA256=CFB1AC761BF1E0553208C61B1E8075E77830F117CDC85C265DFF381C3C585E23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890964Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.775{D94AFF6C-7147-60FE-B578-00000000E701}1640380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890963Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.650{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7147-60FE-B578-00000000E701}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890962Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.650{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890961Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.650{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890960Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890959Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890958Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890957Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890956Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890955Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890954Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890953Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7147-60FE-B578-00000000E701}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890952Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7147-60FE-B578-00000000E701}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890951Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.635{D94AFF6C-7147-60FE-B578-00000000E701}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890950Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:39.322{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB8545CD002DC37CF2ACD5580F794D1,SHA256=C41C8AB564D43A4DEADB47266867CA9AC7619F95F545C4C9C25E1A5B4835F0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027919Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:39.622{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E018ED08E4213782C9748717332B36FA,SHA256=E63ECBDAF4D656B0219740188A48F89C25070848396C61F378B06CE3D3A18745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027920Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:40.622{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896CA91A6582D2D962F333020BD9AAD5,SHA256=7655AE47FAE31D91648C4BDE879178B57D6ECF37F137C6067039EE44C95E8555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890980Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.775{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D375AB8670B0EB486B008B72E04B542,SHA256=387152F2C6F5DD37D202B5528946855F6799183A119D6ADCF6D93F4EF5F3CDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890979Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.775{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE121DA67417C9714A764B65F0803AE,SHA256=94770602494DE7042C9C76E44D7B7959F69EC6F77C75E0A009968676CA95B836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000890978Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.431{D94AFF6C-7148-60FE-B678-00000000E701}31681804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890977Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.322{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7148-60FE-B678-00000000E701}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890976Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890975Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890974Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890973Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890972Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890971Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890970Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890969Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890968Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}728864C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890967Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7148-60FE-B678-00000000E701}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000890966Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.306{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7148-60FE-B678-00000000E701}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000890965Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:40.307{D94AFF6C-7148-60FE-B678-00000000E701}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890981Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:41.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FC9D13F940AF9D717B0A12F6310C6C,SHA256=BE979EA9D4FF1655ABC3BF6A5B766FDD1313DC03102593D28CDE67F37D1EEBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027921Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:41.856{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB90E9E69C094D9714C4AD4F407785FD,SHA256=98F1ABDACE5D499C6F5F4A9616632057D528519EF7F9A4D93175AF17110D6F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890982Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:42.775{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A951EE46017D1F23D3BF9BF423103903,SHA256=50CDBFAFCAF520626B7FDCA9C5AEE3ADD03B02F3450C0E0B2180A5E625C8E108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027922Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:42.856{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17700CE31C2078A06709EF120622D51F,SHA256=6F6BE13D4ABA6966E333FA2E9DC2BC71725791172527C5B4A86442C00924506F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027923Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:43.856{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32786E44945DE72DE1359914FD5412D,SHA256=D82E87ADBF07BA3220E644FF53D1C26A8707C6038FA018C8EB403FA519C215F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890983Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:43.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3A18261B1D5951236ACCDC4BD1FAC6,SHA256=7C8EEBCD5E0EC7D14193F13BE2D55F4AD1699C6BB70721919C99513691C485CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890984Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:44.792{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B7EBF08D3926B48F06CA32F5A513F9,SHA256=9FC24C9880EE09DB72DA4A1A767E5D0E4B25E39B13A57B9941C05C0D16AFC84D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027949Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714C-60FE-3E79-00000000E601}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027948Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027947Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027946Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027945Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027944Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027943Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027942Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027941Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027940Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027939Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-714C-60FE-3E79-00000000E601}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027938Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.747{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714C-60FE-3E79-00000000E601}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027937Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.732{2E2BE06D-714C-60FE-3E79-00000000E601}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001027936Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.075{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714C-60FE-3D79-00000000E601}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027935Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027934Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027933Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027932Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027931Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027930Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-714C-60FE-3D79-00000000E601}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027929Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027928Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027927Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027926Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027925Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.059{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714C-60FE-3D79-00000000E601}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027924Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.060{2E2BE06D-714C-60FE-3D79-00000000E601}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890988Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:45.805{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD812D77EAB14BA0305B5DE230631EB,SHA256=3EC1EEF736ED0362799EA7A4982E1AA93C373A09215D5DA1A0D81E7D45D4DD40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027967Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.590{2E2BE06D-714D-60FE-3F79-00000000E601}32526116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001027966Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:44.210{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001027965Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714D-60FE-3F79-00000000E601}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027964Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027963Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027962Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027961Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027960Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027959Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027958Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027957Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-714D-60FE-3F79-00000000E601}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027956Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027955Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.434{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027954Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.419{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714D-60FE-3F79-00000000E601}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027953Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.419{2E2BE06D-714D-60FE-3F79-00000000E601}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001027952Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.231{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1222687CA1C43B65C2FF8FBC58F6A0F8,SHA256=B9868365643746B9F0DC4A1995FCF55394D63EBAA893242FCE83892A76E1BE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027951Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.231{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698AD0F8D14CA2BD58796B71910ACB7B,SHA256=11511FA889C4197CA97C92E450E97A0837407016C18CFFAA60DFD04DE2744690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027950Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:45.231{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C80B016FE726BFD173A5B06043841F18,SHA256=A5DD51ED4034187DA81C857286690055AA8253FE0C95A32C80483DF94F87CC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890987Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:45.368{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8AE66BBE6AD3E88BCF6B54901B935074,SHA256=1B3D46E777C66FB317C862F8654D9584D98DAF51EB25142E2F8D065D29684BDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000890986Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.539{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-39478-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000890985Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:35.259{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52549-false10.0.1.12-8000- 10341000x80000000000000001027997Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.981{2E2BE06D-714E-60FE-4179-00000000E601}47203024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001027996Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.872{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F5A25F5A41EBB4804BE89A5404B2D3,SHA256=F08EB6B60917179888BDBCC9C960F76C04126A79B7904C6FD191A40D7D515FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001027995Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.872{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1222687CA1C43B65C2FF8FBC58F6A0F8,SHA256=B9868365643746B9F0DC4A1995FCF55394D63EBAA893242FCE83892A76E1BE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027994Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.809{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027993Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.809{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027992Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.809{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714E-60FE-4179-00000000E601}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027991Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027990Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027989Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027988Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027987Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027986Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-714E-60FE-4179-00000000E601}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027985Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027984Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027983Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714E-60FE-4179-00000000E601}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027982Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.794{2E2BE06D-714E-60FE-4179-00000000E601}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000890991Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:46.807{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695E968CC0BDD1DD08524768D981CD94,SHA256=4DE0E5B6685C9CE0D1DD9798D8E0AC04CB89A776BE9C9F8E6DEE9B153449E485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890990Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:46.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC228E381124E73DD88BC79965641C83,SHA256=48A6AB2B4EC91C9B85E118241FFFFD901549A592046C7EE9360301FADACFF14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890989Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:46.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DDCA8EB924846E60029CBE4A94872DD,SHA256=1D1F3D05E44CDDA36B7AC0A93E87EDC708CF3DCFAF84DE954478427A00807149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001027981Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.278{2E2BE06D-714E-60FE-4079-00000000E601}62683160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027980Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714E-60FE-4079-00000000E601}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027979Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027978Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027977Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027976Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027975Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027974Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027973Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027972Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027971Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027970Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-714E-60FE-4079-00000000E601}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027969Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.122{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714E-60FE-4079-00000000E601}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027968Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:46.107{2E2BE06D-714E-60FE-4079-00000000E601}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001028012Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.809{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5E6D8130278B0DC8F8C8BB8A61DE3D0,SHA256=3AA53FB3CE95658D9724ADB88335EB39A1E632DC199F9A822160B2F43E135F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890992Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:47.823{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE300E0B91DA97805288602DC2E7EF08,SHA256=E523E0930EDD95D9F12DBC2FB9800EBBA7838145B7D29A742F7C6A64E72ED157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001028011Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.669{2E2BE06D-714F-60FE-4279-00000000E601}60841156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028010Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-714F-60FE-4279-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028009Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028008Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028007Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028006Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028005Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028004Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.497{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028003Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.481{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028002Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.481{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028001Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.481{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028000Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.481{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-714F-60FE-4279-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001027999Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.481{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-714F-60FE-4279-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001027998Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:47.482{2E2BE06D-714F-60FE-4279-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001028014Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:48.887{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C91914D88B4468B429AAE9CD15F48CF,SHA256=7BDD982D7ADE7DDBAA992969562B54460542C599074A144433F7D0CBCF60A4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890993Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:48.823{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24975D65A79811F39D5E1CED40826E9,SHA256=669DAFB78647610BF14B86943F55BCEE3BB0F7951CA8AD471D759572C8739A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001028013Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:48.012{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0550D77AC0D53C30542350254E315827,SHA256=588FE98F1CD018E8518136118107BC6B4683A81767EDAFA2EEC8A7E3484CCB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890994Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:49.839{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E302189D66814388C3A673F03CFDEED,SHA256=46A385BE71800B6293ECC4EFAE689CBE434B97AEA3D90F605666D2B9FB5FFC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001028015Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:49.919{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C61264A61D667FB77ADA2E9C748633,SHA256=EF80AC6883D8345324B8109D417A3A5319E10DFEF853D585559352CBD76627B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001028018Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:50.950{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D07578D1ECEAB469B4829AB7E2151F,SHA256=537C00ADCE98C45C7D9A4BBDABCE9C3F6A87911E78E965ADBC52817C5F43EDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890996Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:50.854{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BEC876C2832900BB67524E37037DE3,SHA256=6C7D28E7CE8FAC226CCB3D7C3AA05A210EB9EE07AB92B4B98352CB4AC58D4F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890995Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:50.136{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001028017Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:50.794{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D5800DA2BF4FC8236FD0E821E0B73FF,SHA256=6F2B2E2C7F1C4976F34B43B05BC3AAF0348AA9C702F53AA257E265A67593BABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001028016Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:49.288{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001028034Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:51.950{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27C8BE02C8CF8FED9F8AC582BB0917B,SHA256=FF2900A78B2808C81024628D143AA73097CD326DB7E7A01E192F1D1EACFD1210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000890999Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:24:51.870{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795E897E855687647499AFD9ECF917EA,SHA256=D7EEE27EB630BF6154D0B9F0CD0ADE2556CC6B7C090F22392D0441883A220F3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001028033Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:51.825{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7153-60FE-4379-00000000E601}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028032Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:24:51.825{2E2BE06D-6DD8-60FA-0C00-00000000E601}844584C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781