23542300x8000000000000000111759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:20.953{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA7A1D6C7ABE768147D6877A82024F3,SHA256=275CA8873BED3F18243A2B4985E9D279357CF4DAAC6F56577110CE46A5124C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093930Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:19.172{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093929Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:20.518{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D3A0383AC8E38B7DB7D4CE0D3DEF2B,SHA256=E9390282D69F5C401C7F937F3BAC81974D15410C8960872E61B154012ADF37D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:21.984{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3007162F3ACC67BE968D51B6DB7912F,SHA256=39A8F893D100BF9BFBD0250DC209CD307FA77EF5A9DFC1424C3162E844FCA396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093931Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:21.518{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D2DD0303454A5AACFB039A5151FF35,SHA256=455E6796E5E1CBF166D097B015AA2C90E0B5CCB17E7179E7D9A37AFD414A4D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093932Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:22.533{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AAF789CFD289A8E9D8A4BA7D137264,SHA256=04DCBD53F58A7E5B71EB478256064884773240EB12EE25FF5CB1C97BD155D5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093933Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:23.549{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A6D6C00070674B8D79738755D004C9,SHA256=8040B74945FE269A8E110A06A55A2106A8B8C5A42156B04372D9BCE09C641BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:20.650{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:23.000{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B1CF98DA8B3A94C637AB49FEFC8180,SHA256=0F91C40935C503DF3A107899F6E1280B1E1A34CCB6EF52FCABBBF374C41D6317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093934Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:24.565{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94C895D24B80818671559E561B81F9B,SHA256=71163A7CFF4FE00DC4223C207085E0DD308A015ACCA2EA29F3D1067275DFE6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:24.016{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124B750B64124DE9B6CF7C4D182F7E79,SHA256=7E562FCA36D5E23719457B0991DD1F96E22AE719EA1D88DAD66521D3A05450FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093935Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:25.627{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04392B68B8A8C676A26080A1234ABD4,SHA256=9DCAB261C813B4D9699826B6FA1BED8F2F965262A342B6325932E54232B60773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:25.031{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9278D486A6ECF47B8F22F2D010765B69,SHA256=AF92AD2175FCC23F823A647A0131420FB5A0DE3133E02499CAF866BCA68CF9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:25.031{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B4543FED6DFA38014FC9920D209DA476,SHA256=B62F1B74052CA99A457FAFCFCD5A4C035B9A5CA8CA0D4FBDB8882000D6AE89F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093936Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:26.627{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D077E782E350AC146969194B20E33D,SHA256=86C74BFCB94C58B98768446BCE563A4914D1B728BC17D161CAC64A5D4ABA88D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:26.250{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF58DA905AFE960D1E6B38D03D2B258,SHA256=CCEB308A8213E906D5463B43355CC0BA20C35CD277CF9EFD6281DAF0AA19512E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093937Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:27.737{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7752E9A38229B93B5BFEF2DA5075AA,SHA256=4B8F42FB8A11EB6EB3C16DAC67D96A6ACB92E7F3090D983AB0915793578C3E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:27.281{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A524439CD57FA13211C030ECCE57AD36,SHA256=7215D938C035873B2C8475142321D2EE35AE4E94B89C90D2F9406048BE05AA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093939Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:28.768{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463D5753FDA93E8DD225610A3FF7978C,SHA256=28290262A8A4C6DF2955D9CA7FD22406F40D13E3548F26EF0E7BD68C061DA251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:28.297{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC41271F06FB0D678139B948E9BEA1BE,SHA256=6AA18F806C986DD199A3AED79A744BABD15C33C687483418B6DB651A31BC5BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093938Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:25.190{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093940Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:29.799{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3C58BCE82F3C529E8BA19CAB6C63FE,SHA256=6DD19360F6850F777429E78735E5FC143F665FD78573507847C34B7CA5075F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:26.510{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:29.312{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773E7CF295E24916B843925023B1FFFF,SHA256=66AEDA14AD02C8F245F714029653A756363F0CF3CEDFFED35755DF78625582AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093941Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:30.862{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C3F3B0E6A14132033D134AD81670C2,SHA256=7C6F9F5927E5322B203540365A847B2D20CBA5285D23B6A9DAF0F268EF565960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:30.328{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8B36060B4755FCDC8352B6A6B13027,SHA256=670469584DE34041DAC59A5EF60A00285A678F38187DAAB19ED1314455D2625A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093942Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:31.893{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CCE63B27674B4D8CCB889990A504F2,SHA256=51FDC86990BA78E0BB141C2B6AF8A9538CAB03BCA166ADB76DB97DFDB7FD625B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:31.344{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC34D4001E9027E80C34C519236ED2F4,SHA256=9C3185AA27DD1A348B1F98314EED2214D89093C788270399797FD0E2D9116BC8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000111780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002d1ce3) 13241300x8000000000000000111779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9a-0xc5d4c683) 13241300x8000000000000000111778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0x27992e83) 13241300x8000000000000000111777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afab-0x895d9683) 13241300x8000000000000000111776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000111775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002d1ce3) 13241300x8000000000000000111774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9a-0xc5d4c683) 13241300x8000000000000000111773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0x27992e83) 13241300x8000000000000000111772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:15:31.312{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afab-0x895d9683) 23542300x800000000000000093943Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:32.924{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E776AB9AFF3F42D438DD667C3B426CA4,SHA256=04B2AD44AFD69A2008C033109E446166D176BBEB2F7970DCCE0870F0DDAA0F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:32.391{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C429120082DB5BEF9BB597BC72E62E4,SHA256=894259AAC78DBAC161E40F4CF951E9934226009EBE9E735B86DAEF5B1D874EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093945Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:33.940{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0099C083D01FF4BC7771BF942F83DCB4,SHA256=BB9880C9EA5923A2A81601952BA46C0BB762FB361A96FA03B72035D4AEBAAC49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:31.526{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:33.406{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57147D5A40B71F49712C121096C68EB7,SHA256=00828FA76D532012F40247C859403B0C6D9FBE0159D13BC26B6CE259C6AF8F90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093944Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:31.159{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093946Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:34.940{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939629189DDC865C4025D512AEDC7FE0,SHA256=E77025383B1C510D7A2FF39522DC2396831EAF2FFBA4B74185DACA12F600C28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:34.422{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3189DC51CB8DF9F9C53EAFEBB68AEB9,SHA256=89C70241A7322F0F95979B5A4B0746612EE6413A8FD21527F0568DD30314CFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093947Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:35.971{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A47863F9AEA2502CD5CBF17E614BBF6,SHA256=164993D04B33336FFD92BDEE1B14B3739E20AA39B6CC529B50D17C87398F3DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:35.453{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493A48F57242A9F0A3A59C09C68DA8F5,SHA256=9E686FBD3753812D829F827E223D92D82CCA443346D3F5675E2C8F4D42414992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093948Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:36.971{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2377FE4ABCB55F52FF5527A16710C602,SHA256=713529CCE75022DEBC34C03975210BE1010313FE41A2E3B62DD893F63F6BF412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:36.844{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:36.453{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5FB199A3F001513924319AA6DEC73E,SHA256=9B35051B92309B99F80529AAA6CA713163EA35240FA706DB7E3F1E0B74157518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093949Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:37.971{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9B380D607EF98A250E1F18E887CFFE,SHA256=EB955183AA6B8982660C6C654F48838645B061BC2CC97A8A7D30CBF2A88B1D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:37.469{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B923E33B4D3AF1BCA9EAB107CE5C3083,SHA256=25689771A8C2BC5D0C9280EB0EA9C2D85CAACF2FC249B5121494CCEB7400D0A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:36.682{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000111792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:36.338{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000111791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:38.484{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747587C2069E3145FC5BD7D09B451345,SHA256=5E6B59ACEB55756B8C2038BAD102645438F67333500305AE360386C38880D510,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093950Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:36.190{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:39.500{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1141A1A9936C7A2EEA69DB46AEF9D436,SHA256=43556426F68DF28E3402D415990DE0861D2A9C7FB64833F2B61CDA5E0D16965D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093951Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:39.002{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F41CF09418231865166FF84E6A5341F,SHA256=1C41C8177789DF1564975671A9F627EFFA078C50BD30E7DB59CC0E880872DDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:40.516{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250D84E941137E698C82BBB44CB529E3,SHA256=748525AF16A18D23E794687A1CD9B4EAE849654E6C361FF46BC36267822BB55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093952Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:40.054{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CC399D97C35B47A9E2AB9A5D7050BC,SHA256=07A4B7D516870DBCF004288AB95DE67279A096249537B381AE71D96ADD3DFD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:41.547{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC67DFAB9E4B861434B488FF321A168B,SHA256=7C3017078906AF532011F955887731A30C5499848FE3DA82FA4544AEF7042363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093954Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:41.788{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093953Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:41.070{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A3F222F5EC14D7422EAD7E1256BD3B,SHA256=D790CE2DEB80B6AD88C639C562453BBE20A17E8A44993B53EEF21AFFB09FF81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:42.562{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61D3D51272D79E881B916000A0D56C9,SHA256=993ECBF6FD03DD98329B1D59BDA7B273CC40C84486DAD97DF14B90F470741A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093955Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:42.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C753793AE515D33E9D26664F0F826F97,SHA256=0802396D0199061EFCF18CEB160451B2CC3811799966B6A5E0F4F3684531B5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:43.578{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1076BECEF29B61263E48706806BECF84,SHA256=9BBB625074C215283331DA64F0061C97E424C9AE8E0DF6763EC7CB19E267B8C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093958Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:42.039{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000093957Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:41.727{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000093956Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:43.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABD915D150072155AE67C62C14CC3FB,SHA256=5330FD4479D717E9032A0CC49453E7A3038C19ABC79FFD015419478866D159F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:42.572{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:44.594{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF77E3B0EA8243CD269931B085F32FF,SHA256=C4F123E72378BB06F84468516548B40FD500759FF2D3E3D37997A8865E3D2C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093959Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:44.148{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D14F529C76ABE2AEFDEE29302031F2,SHA256=B69E5200E03CCAE6C44A48EF3E37314F72D1098D26DA8F52D15330F39591FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:45.609{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95419574B01E08188DD748CE4B88FAD,SHA256=5728A48016AABC391659EB7671E38D3482AEAAB28E66A0B6EED67CCF91A5B9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093960Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:45.179{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6404CE79D4A7BE7D7A80437516C360,SHA256=DD8685E266C130D7854E5BCAEF199DED36F64E0CB85BAA8BC0CC367ABB20DFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:46.625{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8CEC30E6CA70B320C7F9EE9FF76509,SHA256=617896EDF260EB5B085D443E615365FF10B1E9BCBDBF308CA852AC1BB15494B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093961Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:46.179{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DB39C0DC42F1B09F9ED190010CD862,SHA256=4E3FD06ED03632870B86A9C2EC7A76F4B4E38E477DF63FD61BDD79270D8BD4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:47.641{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAE918D25C45C64E03192A6D85735F9,SHA256=108FC3E6744A4FA3C509D8FCFF69CB22DD603E9E63F1D37BD3A0A22CD80795DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093962Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:47.226{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D2055398D2DD441C166995CE518819,SHA256=DCA66128EB926654D1A3453C90356368664556AEE153ADF09295F85FD35BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:48.641{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7536856CC1E4D39107F8E5836C12738E,SHA256=915DC4937952BA1F5699FBCFBE5E79F438FAD54E126450C69047B01A58D871C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093963Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:48.226{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30062A45C25269DE41A5C1C4E4E35427,SHA256=E58131E27D36FA98CF42CF95084018D0F7B9E520117F310AFBA270396A7EF597,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:47.620{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.656{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5B05C00395FE165613E2FFD71118D4,SHA256=D43DBE8FBFBE6172112A07F96C146E59BBB31D98A9472763A2A7CA7249356ED9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093965Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:48.039{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093964Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:49.242{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDA76FC1BA73873D220505BADB5C72,SHA256=22960A2B9B22EA9F32C89FF482442A1F88E7F58983FEFE3BC102F07A7E1D1E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1065-614B-3802-00000000FC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1065-614B-3802-00000000FC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1065-614B-3802-00000000FC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:49.594{D0132419-1065-614B-3802-00000000FC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.844{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C20C59EB6F6A8F0114545EDE79E44F8,SHA256=7792C669FC285CFC43A68119D5BC6BFBD2FBED22641079A16CFAA2724B86A5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093966Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:50.242{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5243C79DAA9B0DFA7658FAC90E42D71,SHA256=AC5F397248A6C76AB3D77A63B4613CB29D23C03C653A71285B61E145E68DADF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.641{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E63733B0B97FDC6E09C22D627048FB,SHA256=F800D92B9B5A9FDD3FF6A602A65390B1863E2BA94DD4B7C9F4DCD2BAAB0FCC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.641{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A030FDD1D6B152B867B9953F718BE1AB,SHA256=D31E46E20424A89AFBC86D83C2E0E826435586A6C70BFBF972613DD5826789BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1066-614B-3902-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1066-614B-3902-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.609{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1066-614B-3902-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.610{D0132419-1066-614B-3902-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.954{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E63733B0B97FDC6E09C22D627048FB,SHA256=F800D92B9B5A9FDD3FF6A602A65390B1863E2BA94DD4B7C9F4DCD2BAAB0FCC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.867{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1A37D82F31C255ECACC8AD56884F87,SHA256=470066D63C7CA8DD3E794075A4DFE5C291BA9B8669977B8CA02A28649C9ED8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.864{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-047MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093967Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:51.242{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011CA661DFCCC9686D554499AED264B,SHA256=2ED65A734CBC198106068B86066DC8D3520BD5A0B9BC30BEFA5027D4180ABBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.328{D0132419-1067-614B-3A02-00000000FC01}53765560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1067-614B-3A02-00000000FC01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1067-614B-3A02-00000000FC01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.109{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1067-614B-3A02-00000000FC01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:51.110{D0132419-1067-614B-3A02-00000000FC01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:52.881{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804E72639C4CC2F2026F4DA2593D51D6,SHA256=48954BF0785F623B4B91EBEC18DEEEEF724BD52706BA45E3303373E4AAC674A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093968Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:52.257{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A3AE3C7D607F2CABFD43752487DDC1,SHA256=9C6CAF00A140BA1B67685D20E8885334F0F96C7F02832AB9C509FA56B09DEC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:52.877{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.971{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D5BDFDEB43B1E57FE782A4F505B4C0,SHA256=7916F293C7ACA4D87CF5AFD25E5839C5CB4CC472B05A2CBDC1AF6B9A9FC558D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093969Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:53.273{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57ACA37EB20C5925B0B6069B107C69F4,SHA256=FD88DD3B41BF5509C2E0D61120A47CFCD68AC3451C36105B3F980AEFF962D77D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.784{D0132419-1069-614B-3B02-00000000FC01}54685164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1069-614B-3B02-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1069-614B-3B02-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.596{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1069-614B-3B02-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:53.597{D0132419-1069-614B-3B02-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000111841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.447{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55783-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000111840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.447{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55783-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000111855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:54.987{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1492C7CBD955177BD10053991DDBCD,SHA256=09AF21A5D3562AEF51BB64474E27EA08A2F7BBE923893E5C1F2751177455E9C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093971Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:53.071{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093970Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:54.289{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720A3D119CE2869D6262B7581F028DC9,SHA256=B6007C00462EC02017AD71342B07BFED8A2DBD400B92EE5C2BD93249DF82B817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:52.716{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:54.628{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C0BB3BFF4BC8D5214443627A01546F,SHA256=1A399C4C90620B411D7098CB3727EC7F0D06B15EC81E7386421E3E0852D62D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:50.766{D0132419-04D0-614B-0F00-00000000FC01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse144.76.70.162static.162.70.76.144.clients.your-server.de54123-false10.0.1.14win-dc-639.attackrange.local3389ms-wbt-server 23542300x8000000000000000111856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:55.987{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C7571B41A6C53AC9854FEBC1E63C36,SHA256=103E1E3B009C243321B70A8C53FFC0ED4FC9506E18B1E1E06300C1D013C58917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093973Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:55.289{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A6F548402BD96FD6F76152BAFA974,SHA256=4F05139D7245692C1C02BF3F02202DC3E57F6547FEFDA3262EAF3FCE99D2D699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093972Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:55.242{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DADD63C14048BAEAE24932E6FCA0F79,SHA256=D9F52FC384028AF91857456475912E1FB1970DA191782D1169745B1F1E3F142F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093974Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:56.289{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943852D42E91C45C8B88EAD2542E8CF7,SHA256=0BDF6331FC4077F1B5753337BD70DF13CD8F1E199B76E0A7C254FF5F5BF80DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:57.034{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCFD81E55D2698B270B6F651AE4E58D,SHA256=F7A9354A8C07B32BE64D10DFA35FFF0999B2DC1C0974FFC70B6132E448CE2526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093975Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:57.304{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AC7DCD523708C08BD16313E734EAEA,SHA256=717DCB63F7B655A28DBBB21DC7CAFCCEA21FA4FC04DBDF2F1BF9111485FAEFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093976Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:58.304{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064D2045EAA76D1CA5014068236E81E0,SHA256=37F097F679145A7919E3B267C99C6CC9E422E525000E80A4DD28A279F9F5BE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:58.050{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F072AC00056EBCB1692932FD7FF99794,SHA256=3D0E6D7BDACC85B066F82E21F03F0BDFA0F3873CAD0AFFF96DC73C7E65575F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093978Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:58.087{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000093977Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:15:59.335{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D14D22A002043849655ECF64EFBD12,SHA256=DA769185D8C0D6880EF961681F27B2496134184D6C05B8C0FD32DF7EC8532A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:59.065{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41EF2F3F92DB21EF785B602390CBF73,SHA256=A151BAF351A4B881B8DD39F46A298B00ECAACE94A28A3CC64FA59A1D71149F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093979Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:00.347{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1B45A474E96B8FEB28F9717460DC3F,SHA256=66C5076FE4996C00A705656E4F8D8AEBEF53E056D504C836177D5029A1B872B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:00.096{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027A2615037A4CD11FA40AED44BCE3AA,SHA256=CE1DD3EEEF9F048B3576FE33EE6DF71C3877F771F71923B10861FBB632E6CF27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:15:58.637{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:01.143{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB1C09003B5E06C90DE9AAC18A8C8CD,SHA256=F20844D1E51A3E9B0D79CD528C0F1F5BA10846C1FA2E57F4F67B7F631C485F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093980Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:01.347{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662857FD512E89D4F35173D6B5FAB42,SHA256=7EF7FB3CCCD21EFAFCBA9245DF87CB3A624D3372A172D0BF72FE50EB8E85F471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:02.175{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A283F7D2474153FA72A128E31DE7E,SHA256=99CCA4EC4E995705DC0AB70E607010950D2BD71EC348C13243B41AB7BC66B8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093981Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:02.347{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2212597CF5E246124236188BF23C28AC,SHA256=024FAB8600156ABD7DD508FEAA645F0BCBDD41DB378CA43814ABFB61ECF2B7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093982Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:03.362{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B685BA089B496466672B386F36314F,SHA256=72C5E1AB1B04794671E36DBF89F10D2C6E5A90627C9443A76B2098665A4AEEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:03.206{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C247D617650DCB3542B8C31E0E3B92C,SHA256=F2F4C3D2932F4588798C0496F61367436ED6E60EA3946AD191F915CADDB95C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093983Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:04.362{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D390DFA5E882F35CB40A83BB0661ED8,SHA256=353B9F57AF7954573397CFF1958D0D05F1525F5877B0BB9701064E929D8E0D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:04.221{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E434E3D244A5E0D5E133B79BEA7F3B,SHA256=DD41F6EF260D2B6EE3F2195EFA5B953AA1F1C528EBA406B56B0663F6C296C025,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:03.747{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:05.222{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED192AB9D32EF83C4CA778E2448AC4E,SHA256=C0ECDDA42CB398F8606C4D50C7AB6FFD5962F05D3D8C48DF5698490C050CC75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093985Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:05.362{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B97E6434A1A68AE3758A96949338C8D,SHA256=0EA998EFA8EEA3D9626202F06C5CDBAF449E1F964EDFB6F3AC221863CBD777EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093984Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:03.160{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000111885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1076-614B-3D02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1076-614B-3D02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.987{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1076-614B-3D02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.988{D0132419-1076-614B-3D02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000111877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.487{D0132419-1076-614B-3C02-00000000FC01}44285748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1076-614B-3C02-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1076-614B-3C02-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.315{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1076-614B-3C02-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.316{D0132419-1076-614B-3C02-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:06.237{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7937F3F8BB1462FCBB1C4DAE40A8A855,SHA256=812623AF3A9C3D43BBCA6591E4C9FC8EB8D569BA9EC0573759415F79D150292C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000093999Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.378{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39122497167CCBE13CE1E5723DDDB55F,SHA256=3275E65A369ABEEE74C6D9DF44D8669E7EFF8D2D2C2E2F55BA8D4B7D7B6BDF3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093998Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1076-614B-EE01-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093997Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093996Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093995Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093994Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093993Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093992Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093991Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093990Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093989Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093988Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1076-614B-EE01-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000093987Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.206{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1076-614B-EE01-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000093986Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:06.207{601D2BAB-1076-614B-EE01-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000111897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1077-614B-3E02-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1077-614B-3E02-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.659{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1077-614B-3E02-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.660{D0132419-1077-614B-3E02-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.456{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83484FB7DFD66E7CA053DBB5C86D272D,SHA256=6BA48739C4EFC90E91932CA57950536417D3DDA19EDB4569B20A96DCCDD37B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.456{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5314AFC41AEAED692CD545BF004E2B1C,SHA256=12EB9B07AA8BCBA99769922DD2FD1B2FE5F1BDC686E7150DB7675998AEDE4712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.315{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C738B9960B7069B219B9C04D3165DC,SHA256=460546BCD96B2EECC33AA4E2C465B68C6C6D3B5335AF143CED5B683ADE1939BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094028Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1077-614B-F001-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094027Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094026Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094025Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094024Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094023Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094022Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094021Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094020Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094019Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094018Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1077-614B-F001-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094017Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1077-614B-F001-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094016Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.925{601D2BAB-1077-614B-F001-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094015Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.394{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F04F2074842D7C9177781E6EA9CF67,SHA256=BD9BDCFE73D899EE1374147DED1092D9FCD9E5666FF7E36DC8B888D351329B44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:07.175{D0132419-1076-614B-3D02-00000000FC01}44804432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094014Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1077-614B-EF01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094013Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094012Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094011Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094010Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094009Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094008Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094007Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094006Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094005Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094004Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1077-614B-EF01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094003Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.253{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1077-614B-EF01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094002Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.254{601D2BAB-1077-614B-EF01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094001Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.206{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AF08579ED2669FBF9ADDEEAD16B08FD,SHA256=C61D5514CC8487B4553C44975052E820176C379DCF5840AE9BBAFF5BD6F310CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094000Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:07.206{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C21623E586465902BF2F9073286967,SHA256=02948D81DEB324868B845C9F48D7689278C2E70235A95177724D469354E6E637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094031Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:08.487{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AF08579ED2669FBF9ADDEEAD16B08FD,SHA256=C61D5514CC8487B4553C44975052E820176C379DCF5840AE9BBAFF5BD6F310CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094030Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:08.409{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89717395569E019B110DE118D86EEE96,SHA256=FFBC03DB74C1A4019B6B7ECCFEFB6405B4179323D438CAD1647D48FE3393C813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:08.831{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83484FB7DFD66E7CA053DBB5C86D272D,SHA256=6BA48739C4EFC90E91932CA57950536417D3DDA19EDB4569B20A96DCCDD37B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:08.315{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A64033609022D097BFD3060906F942B,SHA256=83CC1A947B2358E6748DA1A9278EBFD7262DA16F497F3FEEDAA4AB984DFB321F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094029Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:08.050{601D2BAB-1077-614B-F001-00000000FD01}1356868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000111900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:09.378{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5E5D302C3597DD6B5F167117AC223B,SHA256=EF42AAAC3B2DE5CAE36E459993F377085856E2D4E99E250B24E1739F2A0141C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094047Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.879{601D2BAB-1079-614B-F101-00000000FD01}24123660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094046Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1079-614B-F101-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094045Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094044Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094043Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094042Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094041Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094040Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094039Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094038Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094037Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094036Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1079-614B-F101-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094035Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.754{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1079-614B-F101-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094034Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.755{601D2BAB-1079-614B-F101-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094033Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.441{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B683BBEB5606B8D2F4CE9FA20BB8ABD,SHA256=622E4BD95E30B944938B77E62E7A6E4549624291409F50FE1F67E9E58D936AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094032Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.397{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-047MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094077Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-107A-614B-F301-00000000FD01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094076Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094075Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094074Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094073Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094072Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094071Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094070Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094069Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094068Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094067Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-107A-614B-F301-00000000FD01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094066Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.893{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-107A-614B-F301-00000000FD01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094065Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.894{601D2BAB-107A-614B-F301-00000000FD01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094064Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.846{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC13FE80B480B98908AA36700D8B1440,SHA256=EA827AA283CF2F9F938C62C999B53E4461663A3220B5046E851137812A9DAF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094063Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.534{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100F4BC4D29FD7AE2309690E1D13F91A,SHA256=1ABF1E476C2881CEB992E5456A39E3C0C2B3FAB2BBBCDB032E35156EB9AEA4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:10.393{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A9FFA054D4F2366616D91C84ED05CB,SHA256=4C9D946C29C492570BB444BE53E386D5E3DEE122DA1D2788B1C2724BB1BC7138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094062Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.411{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094061Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.379{601D2BAB-107A-614B-F201-00000000FD01}28441988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094060Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-107A-614B-F201-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094059Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094058Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094057Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094056Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094055Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094054Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094053Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094052Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094051Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094050Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-107A-614B-F201-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094049Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-107A-614B-F201-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094048Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:10.254{601D2BAB-107A-614B-F201-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094081Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:11.895{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D19DEC74D5742AE016ED596758FF2C,SHA256=14C2E1E18668F1AA7A4CE7A961CE19600E268F917589C90C0C9C5B1E38103E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094080Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:11.770{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151FCFD155491120EFBC17E4DCE1ACEA,SHA256=30167FEA07233C36E16D127ED6A1D85AF76A2C24C58A8E6CAC5862F2C1F7A2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:11.409{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9398B925A22DAEFEE264141F535D2D7C,SHA256=4E246EB371AA77DE7534432E8665DEDE92D67502B75FB164D3AE9BCB82835102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094079Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:09.083{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094078Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:11.020{601D2BAB-107A-614B-F301-00000000FD01}11041088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094082Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:12.786{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171F55F08B86378D8D8BFE80CD6DE969,SHA256=DEF5425FD448A3C0DD74E7D1FE1259444F876006D3F696EBCF9165921D8CB8C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:09.606{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:12.471{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A88D0ADB80BFB8920865749DF740A9,SHA256=9805FA7AC6920FFBFB0680AD609669F289408F271133F3D536D69C8EE8957358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094096Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.817{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA42A66BBDA1EF0E7637C9CEF4958EC,SHA256=494EE6828934AF792B598C4603288803ACBAC089976B630BE903CBF434D72E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:13.534{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320A936384072AF147CB084A269A45D8,SHA256=6884DF05F597D5C6FA33262FDC6007F1045BAC8B8971AC8B0A60A81526D7B69B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094095Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-107D-614B-F401-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094094Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094093Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094092Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094091Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094090Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094089Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094088Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094087Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094086Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094085Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-107D-614B-F401-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094084Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-107D-614B-F401-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094083Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:13.005{601D2BAB-107D-614B-F401-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094098Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:14.864{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB3C306313079043EC57F9BA318334D,SHA256=D09FBE0888EA88B3304723A8767FDBB4AAF8F5EC689A40E55BA0B49A8479034F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:14.581{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA8B44097D2A9A521CCA78B90CF3E90,SHA256=EA0EE3C4BE6A4E585D9D83A9170F1F2C718F379C8103F1F825A8589EEB7EC1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094097Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:14.114{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EBA41964F470531B1DFE66235E8B026,SHA256=F8BAAFF01BFE617C73725697BBAA21C95C9808AAC8EECC9B14573B61319B4466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094099Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:15.864{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939B69D090B87F316C278CC7DC48B43D,SHA256=D41CE3D0D5FB4BBE94D3F232FF10F0886BDD1B15D00AA7622772D1EDD215BACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:15.596{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C39EEDAD5575A9BE48C40D3EC16AFA9,SHA256=3A4820384FA5C3C671F68132256FACA971DEDA305DCC6EB1204D1602186405EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094100Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:16.864{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549F383E505C9F5BAD01F02D0094CCBD,SHA256=BE599D11B8B017E503F32570C78F5DE98CBA45403F721F1EA58AF545C6CA7294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:16.612{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF704CF98783341B9166A41EA4A589,SHA256=A96316A6AFDD90487B63768236A101B7E45AE2F2BC9FF94B98B23269B2F2DDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094102Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:17.911{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB38AB555D182D21E17D2BDD27985558,SHA256=E14B44C737312AB8050D1837D6E020DBEC40662A5774937D22A2A937BDD98176,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:14.653{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:17.659{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219EEAB313E2ACA742CA417A2E607044,SHA256=1A404A3A7DA6221AF07E678A51333F045117B45AE1FE81FC9A5A4FE465FB6CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094101Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:15.083{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094103Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:18.942{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5088690E59D7DE194B8A25D5FF85A7,SHA256=B3527D55C0DFA5B295DB0F2C0FE70C15B05C6754F27DF6A9CB6C96AF228C3223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:18.690{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9DE0AE8DE56452B4212A6924E7ACC6,SHA256=CD9204596C9396C8CA73E5FC3424DD4C70555BB168BFD46C7E67EA3B0D6AFD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094104Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:19.977{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C5D0A00D960F5391FF5820DC0CBDDF,SHA256=03D820C37578D43ED0E5813AFEFAC8A12B74D3E31092F724862E6704C0C86377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:19.721{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D0ED9370347D6119166285EE8E30C2,SHA256=35F3B2D0C386D91E0B4893A150852769B2A26F0A0BA90D1880AB00E03D848554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094105Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:20.977{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4012286184F7BA70F7ACABE02ADDBE,SHA256=A4586FF3428716273B77C723BC3355D94DBD68D556AD45D0AA500387410B4EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:20.737{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFE6EDC7A02A41CB33F3D620D5106D8,SHA256=CD815874C7974D8902A5AFC8428005FB82AE5F45F831C5702141D0E5843877BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:21.753{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC7173ED3B6B1E982EF11A56D08D30F,SHA256=5ACA676716CBC8B5DF7F15726BFB0592EFEBB64F7B854F7671439FA33D050535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:22.768{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B63ED88462B880EC43C50CD3671E2D,SHA256=1E77CA5B6A81903BAC6D345176D645E13B9CAC1A68D275050850200BA7FDE5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094107Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:20.993{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094106Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:22.024{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16ABC5528E4B482416575CE648FA20E5,SHA256=40BC0BF3D8546E00AEE326C0C1F2F53723A724A7E1F96CB3D4A927063913B638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:22.706{D0132419-04CD-614B-0B00-00000000FC01}640840C:\Windows\system32\lsass.exe{D0132419-04C7-614B-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000111919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:23.784{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AE2FA7523FEC3494AC3CE5DD04CEC7,SHA256=C07F00A66D025C28F714DF84F8F4EFD8BF0EEDAF5ED0374FCA554F83515E512D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094108Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:23.039{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B583EB372755638B1690EAA0D10B70,SHA256=B9925043DD3349101E1DD6BF99FFD7DCC9B3907E10EF2832F67807471D808060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:23.721{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1B50B1578BBC56C2889DA7888CDD8C,SHA256=F2CE19B54E0BFA18BFD8533E550F3DD4F148D92C26F3D8D186C770A1D1825346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:23.721{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1F11AD4C7B158FFD88217F21BFEC3C,SHA256=5E9B0757BD29DE42AA830C5C149D381717932563D7EDA2F862A8CA8C1B627EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:24.893{D0132419-04D0-614B-1000-00000000FC01}3884580C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:24.893{D0132419-04D0-614B-1000-00000000FC01}3884580C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000111923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:24.815{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319406C2AEE6DB19957BD784EF7E5D8F,SHA256=C082DFC566BE508AAB314D075A7AE86BD8B77425D0040672D13E92654E408D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094109Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:24.055{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9D93BE2BA58630400F17D4B4561B94,SHA256=35B5CDBDE836F602A5FA32F1D34E4949FEBC5269625F1979EE2342E1D7651B4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:22.201{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55790-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000111921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:22.201{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55790-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000111920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:20.684{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:25.831{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749D82CCC6786BEB171B65AA304E593C,SHA256=413FB8FFA3D2C665DCE6E6C1E8F9E66A43FF42D344398FF10719C460633DC590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094110Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:25.086{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803D2023493E64C319648CC13520246,SHA256=CDD2C64C49B6C5BAD9400D9B820E70ED1E4A1DE1E44961A9B0033A929592407A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:25.034{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=06433C3C2EEF7BD657C75F652B6F4275,SHA256=1814FA586BBA865773F3FA133376FD07A52F57A82C850CD14B402DF2E0215BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:26.846{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F89F24298837A311A61603AB43BD4D3,SHA256=A79B77220DB51E5ECB8839246280EEA35F3CB0419481622A162FB64774190E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094111Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:26.087{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFD4236F7193513FF30D7E560387F1A,SHA256=882E4AE77602C813A53105283C44EC0B3D0CF6FDFC258C67DB1186581B2FE9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:27.878{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE597115B39DFB40EE52C71A3DE80B8,SHA256=BE3F0569FFBB263A600DC6EC3546C29DF02439EEBC9F723D0FF16A9E8D451E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094113Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:26.087{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094112Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:27.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADA47B9B48A29FDBFC16A92C3C142FC,SHA256=B2E60E09CA68D8DB0708263668DF6FEB99DFD903E1E2CCC75096985225DA28BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:27.425{D0132419-04CF-614B-0D00-00000000FC01}9084908C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000111932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:28.909{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B413593D6180067DE9A940113DC2DD90,SHA256=7424D51B76BB24D7DB98AC16EA378BF6FEA98D91F4A4FA89ED22A1191FE528EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094114Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:28.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADC43C351F7060D0AA823FFA282647E,SHA256=63E5F4B8BEF47DB89ECEBC748D9CE568CD019689E2C5E99023F73D430FD7F499,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:26.590{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:29.940{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C52A4B4A8C118F5760E2D3E8BBDA88,SHA256=214B45A181147FE0F04A4C5C58E0576A3B4B047C5483E0E941CC66086A2412AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094115Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:29.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A891658B20B7B98B5022EB15A3D350,SHA256=38B50CDB6EB6ABDC983BEEB3B181A6815712C606E8B8DE6F213080B141A9D230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:30.956{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC09B4C4F3167EDCAE3C40C4EFB8FBA,SHA256=703DED9AC84C90F52872025CE6BCD2F0CCD427EA3920813C84D5C5F00FBAC9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094116Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:30.165{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D097091D7651F1CAB41382E3D055BFC4,SHA256=4B97E10375F2F5EE1046493279AC21989824EBC84023ACE05B720238339EF237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094117Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:31.196{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284ED0B5FDAB353A2819A1D7D76031DA,SHA256=9C7AAD0E337787ED20287D11ED5A3780DD17DC80C5F4E78C99C46EEBB6EC6ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094118Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:32.196{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F49D07CEFD78938E3AFD7695D4C5B5,SHA256=1E8DA58578F6141D7F37C235C48263001260AD96345BEC4930635A59458E24C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:32.003{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D52766FC46DEDC878EBAAD2966A9BE,SHA256=FD4CEC198E5FA37ED8E94D718FC1D983E7F019EEC0DE429DBF242FEB059BC14B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094120Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:32.087{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094119Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:33.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8529A24092AE2C5982D43236E351786,SHA256=6DAA611766097CCBEF295D2D8FDA4421103E4C0345577E63D27C7849AA445F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:33.018{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93AD5BE6C69B0F1A0828CEB11ADF482,SHA256=6E2105CDD9757B4A4A17B1A1BD097D4979DD00E99B7B65CA682DDA82F8F8DB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094121Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:34.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E32003475C9724A4C04F3FA56C7E1F,SHA256=8B451586E3FCFF9FAA697F70E42C890B597DB8AD23C02D81ECC34C2B61A8E2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:34.628{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70FB7EC5F6709FAA9BFE6F39861367A,SHA256=C5D95D6E5AA169B773C31C126A2106287548D5C7758E9695573A1B6FD0D3B462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:34.628{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1B50B1578BBC56C2889DA7888CDD8C,SHA256=F2CE19B54E0BFA18BFD8533E550F3DD4F148D92C26F3D8D186C770A1D1825346,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:32.590{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:34.034{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92D299C8A1C4F37AA3D327C146729AF,SHA256=49F0086907647F9A7D04D6B4741294B8710EF63EC346833556F4F0C5D5227CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094122Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:35.258{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAE18296657A69932BA2CDE027EEF35,SHA256=4D82BFF09F2CC32746E0C8BD18F8ED99D4C3D4F5B8E44D8048E4AC589035D16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:35.050{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515194155D15AC35EDFAE92E39BD6ED6,SHA256=DB416BB50BC034CE3F2A87CF960FB14E647FF0EACEFD6132AF6515D095094E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:36.862{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:36.081{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7E52A4116FDFF155B2D6D906543AD,SHA256=A06E933CE74D2C5B2F08C05E771BC34F1B3318F8732A6434AE4199BFE1E2F535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094123Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:36.274{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D318D5CAF1F7A7BB0E7BE27BF21A63,SHA256=C20C67161CBB4A5214D65AE43D45AA1B35C9E9AFBFBC8C3302EFB1032F25D68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094124Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:37.274{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F7B7B72041B15CE915AAB5FBD76445,SHA256=2B5D3D1D3289990B51294DEB2D682DD9EEC9232EBCD67666D5ACB82557BF5B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:37.128{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58BF83E9B1CD10637447960EBA677E5,SHA256=E962B099F1FE76B676BF03BF97820A79F1AA696BF8CF1665A294D0FBCAA2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094125Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:38.305{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC808FB6841684D2B271F94030FEF981,SHA256=FCEF6A5650F67022BC17C2D8DCD056DC453C0BDC21113650739899FD67F9000E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:38.143{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383ED15DC49458E1374001513DA82FF8,SHA256=5B9BF99BB2BB384CB116848C20E3775B245BD59821A000A38C1E39BDA7E64FD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094127Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:38.088{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094126Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:39.321{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A069D74CDE32B5AB4A29E581E92A35,SHA256=DD6CD3F5BA153E2B4F9D0704543BEFA2EFF3B985A8C134D37062CE45492445D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:36.341{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000111946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:39.190{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CDB4E012C7A7860928266AB280F99,SHA256=1E3187F5069F6B9DC1AE0232447A394D12436A60CDBD7A959414C8CF1697A38D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:38.637{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:40.191{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924D2DCDBB17043749894FD0E7E8AF3D,SHA256=C64D35AFD89A3794B6F5821FA3B7E5B842F94D7F26F6485CE7B52DD13D809089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094128Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:40.324{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59C8ACBCCF9925B9991B87C6BA53C53,SHA256=FEE88EC660025A2CBE5BC2281610EC8BD021451DBCE1D1FBFE6A9DC7B2B1D26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:41.207{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7614827ECCF96DC58CB1DFAEB7772967,SHA256=ABCDBE9E9F2A37DD087BED6711C4ACC30EE48B43EB996A592DB4790BE44BE329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094130Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:41.809{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094129Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:41.371{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A34C2502D463700F687613A1D1FE058,SHA256=75E3C473C808C7F609B001D7E0CB50C1D82451AA0250DF66D9EECC6E51D9EEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094131Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:42.387{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570AEC51663FD5B841282129123A878,SHA256=895B7EC5A35D60E528B7DB629FEB2E900A9D85D846BD95CF6099297E6674B377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:42.223{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E8656F619DC9C5F7CCF0FBE188BCDE,SHA256=FF13273B4E203D380847278E4D73B7C62CF3B703AF695BB0972812F91539442A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094132Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:43.402{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3C2E76A4E931E4FD8283C7E34C0A6B,SHA256=29C5161BAD91B3222C274E8B138350DC27ABA625211FE5EE59557537285F7470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:43.238{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871D80C9F0562C0B4CD3B7DF0571E7BB,SHA256=06AF6EBB5336691FBA7DE5FE87C3199D9431FCFB977765369B1DE4C4CE0F62BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:44.254{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70011505A3415144B5F39AB3629DEC40,SHA256=E884AD3079D3BC3E0AECEC08D94A5137FF75F5F9BFC43251E8993239170BC495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094134Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:44.418{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5845C9023CEE586B4316B144D6879AF0,SHA256=EB1891DC9D5620EA27658A0BC7D88FB9A32C8DC43318D0BB31023A2340F1C1A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094133Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:41.747{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000111954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:45.270{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F410014ED7D636C018CF733DF4D9B2CB,SHA256=001A08FD9953852D5864697559CE021B4C2350951120D975CFA26AB3E237BFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094135Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:45.418{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C363810BFBF88DCF7CBE209CF72995C0,SHA256=AC62AEA2300FAF99F3C659B974A940242E23F4CED46830E7BE5F1A4A7178343F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094137Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:46.434{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4ABFE92EC3742DAB67DA8AD6E67D5A,SHA256=D9C1B8C7EE8E8629B39FC1950F88AB6581A6DE7D261452803270F801B3CBC0C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:44.622{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:46.285{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA88CE2C10E1899DAB38E5BEE27ECED8,SHA256=E26FA5B6D98353B5E38E0C0DE5EBC0BBFD3E37CBF5E33D09F5F94FB8AF2D8811,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094136Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:44.044{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094138Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:47.465{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B74E71F902CF84F4F1836A9BD021F7D,SHA256=DBC47268C6120C108A70D212955E66D2CCEEDC7F07B0E4ADFF46861EAEDB30EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:47.301{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E22A068B2AF3E5A7EB02988E0BF2CB,SHA256=DEA9C88E80EA7DE6D95405C9A0A6BEBA4D40DCC72A75E2BF4A39FD79C635F7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:48.332{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21FD4E15AE2B3D43FE3453B6738525F,SHA256=D33D4624EA3BE3288EE500C8326E0E3DE1832A24EEA36A79A5E1F302885244EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094139Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:48.465{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DA66D8B8AC04E2AA5EC5010033A58,SHA256=7022E65DD51953339538191C40F4D7A12CF27563ED9660AFBD6915C4F27A36EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10A1-614B-3F02-00000000FC01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10A1-614B-3F02-00000000FC01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10A1-614B-3F02-00000000FC01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.598{D0132419-10A1-614B-3F02-00000000FC01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.348{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251331D29A13162281B54AB67DBCDB57,SHA256=59123EFE4C147E616EE44FD37571B0A1CB51445FB0F610BDF592E4E3EBD4DF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094140Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:49.465{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D03859A9CD1B6F3C5A66934D8BADF4,SHA256=1FB6494E3F4F5D6B4B80BD5B8C1E5CDCF6340C5CBC3B80DE5EF12F4D3F6FC5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094141Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:50.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBDFAD2DF9A550D5833D765D767A960,SHA256=8E4B52008151260C52EFBF40769B172CB0CBD5D31DED2EB2CFB23C7EA70135B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.801{D0132419-10A2-614B-4002-00000000FC01}60964020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000111978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70FB7EC5F6709FAA9BFE6F39861367A,SHA256=C5D95D6E5AA169B773C31C126A2106287548D5C7758E9695573A1B6FD0D3B462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10A2-614B-4002-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10A2-614B-4002-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.629{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10A2-614B-4002-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.630{D0132419-10A2-614B-4002-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.395{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7E4CAA4D74E7F4402F2AEFD6435E10,SHA256=52ABF0C5E920B197049A8C1F4C5721BA7C25BCB347F769C922E0F4F9FE99D7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094143Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:51.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EB9309DBD8B6EFCF8B4C18CAA74C36,SHA256=AB617B1D879E973ADCE31217D63B0E2A21B7CB9938FC5DF858B56D9D68BE61BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:49.731{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55796-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000111989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.645{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.410{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EE87FD63CAF0D00B0ABBE35FC7644,SHA256=46EB75A3CB6222854BD17D660E5AE4B0E8B015863CDB683AFD5BF9489AD6A8E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094142Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:49.169{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000111987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10A3-614B-4102-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10A3-614B-4102-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.301{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10A3-614B-4102-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:51.302{D0132419-10A3-614B-4102-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000111993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.450{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55797-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000111992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:50.450{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55797-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000111991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:52.441{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BC420F3AEF591ADCEC465A24C1D6C6,SHA256=56DB6BF3488490E57845A39C6D6D62EEABBB2C20A196771CA5DBF9C559B8A87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094144Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:52.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522A5E56F6260C93449D9238ACDC06D5,SHA256=02C03992C8331EA40019A601AAE50B56E2C98B663FE05E52578F5301228C1E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094145Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:53.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD4C2B6677BDAC04FD2F453DA3D736B,SHA256=39C4E525925DD32A4267A50878B0574C01A9CB6A51A3225963FBFC8F8F400D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.800{D0132419-10A5-614B-4202-00000000FC01}25164364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10A5-614B-4202-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000111998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10A5-614B-4202-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000111997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.597{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10A5-614B-4202-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000111996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.598{D0132419-10A5-614B-4202-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.457{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE7FBA22BC2E4EAC3CA64A94A791EFE,SHA256=9C616C8D071F7A83C4F451AA8CCC073C713A814859D2076C125463862321EDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:53.397{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-048MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094146Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:54.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3739B42815A68319A2904E444E4F470,SHA256=1B4EF272A76DBBF4EBB1F40B2DC431DC9E22B17B0B821AEEF6641991C667A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:54.674{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7769F8F89DDC4857A99DEA1CC829DAA8,SHA256=91F7FB0FBCF57CA50A148F9AE0CBF70293898E983ECA40243F23018D3975D654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:54.471{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935A106EBA12CE1BE26FF6C5CBF38194,SHA256=689DFE4EDD125C13255F4C21628AA048CF0E6588216A54BD01F45FB549F7DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:54.411{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094148Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:55.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3762C23FBF013B3A4A075AF6ED1A12,SHA256=4EF2A82745C48DD16288F6C7A2C64B016B881F10FCA8E3EE3A4555155345DF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:55.474{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9869B6DF28F0049877E33C93ABBC7D,SHA256=D5557D735D297FDB187C608AF6BB31E9171CB76641D8DF503D86E306FEB4D96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094147Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:55.246{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D96D41B4EF8BA5C5C44EB5A4DCC60F4,SHA256=9374A0F934E1613CC8880B874EDD05D6222B28C604098BE4BEF194CE17A69B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094149Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:56.496{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9514A9DDCA713D21547E9CF0E79220,SHA256=E028567FE99F9F6070C76DBC4BA928552F8BCB19D57952EF8347F6FD31597C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:56.489{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BAF2E14FB26FC9DDB71B8B74AE5DBA,SHA256=A9F32FAC3519FEF8EEF03E1FFC032679284B20094093C926F87E805AEC299658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094151Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:57.544{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A87057A4A5F479CB16485736511440,SHA256=AD04B2140CD3DA9C058F5868D9D235F168EB355011E3215365F4BFE682605699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.536{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9443E32097CC90344995598C48D007,SHA256=7F91B711CF5ABB288E55607F56BA701ED9D6136308CF4A621E9FA8F9BDEEFB08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094150Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:55.153{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000112012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:16:57.521{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000112011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:16:57.505{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Config SourceDWORD (0x00000001) 13241300x8000000000000000112010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:16:57.505{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EAA03964-875C-43CF-AA1A-8F0426A0E9C6.XML 23542300x800000000000000094152Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:58.544{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5BD0D561EC34EB6FBBD2D2D4C0E222,SHA256=DD2684CC1E519205BB09D828A946E0405563AAE97135E039D8F0994614713467,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.023{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55801-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.023{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55801-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.016{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55800-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.016{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55800-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.000{D0132419-04CF-614B-0D00-00000000FC01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55799-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 354300x8000000000000000112017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:57.000{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55799-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 23542300x8000000000000000112016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:58.552{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FEDFD0674763A25E1ABECEAD976082,SHA256=44F6666133AD6D6357A38F64515B38F619D4D57A7887AA7493DA909C6011E3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:58.536{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F85C9BB10338738354DB388C702B6E45,SHA256=6DB93CD249CE1A2D58155A2B05D1F3C8B89A8060F88E6F9EC3936AD771622269,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:55.701{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55798-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094153Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:16:59.591{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829D474E579DC48526F1FB5708B33FD3,SHA256=174D7C3292118E5F085D66EB6A64C3DE301186C24CE64E72A4813D678E764EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:16:59.552{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E21E7E9769953B4D1D046E3DD387EE4,SHA256=3F92ED61736FCA60CBC00AFFA74992378F2F4B6A5135D499CCC6BCA2F82AEF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094154Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:00.634{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BFBEEE1F6B4863E164630C425C28F8,SHA256=9CA093F4C37FF1380D40F6A1C3000A509ED85E9B0D2657522D8D9DFA2CBAD72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:00.568{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1F749802AF5D1E11A91766D9FB4B71,SHA256=DFCF2F3002FC2EA24C243BB6CEDA5A7D36B3B07589DE1234DCFB6372F2EA75C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094155Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:01.665{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DADE7D0082CC3D4B049210E760A2C6,SHA256=B40CFCC5C71593E9C050159E7BB11DA2C03FDCBE116A70AFD1CE5A38D5E4733B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:01.614{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4E92DC8EF22E10DFC9F2786774ACB0,SHA256=5C1CFCB8F84FF419FEEB401020923A1487D3C786A179ACC63084906B3B429194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094156Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:02.665{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6ABA312BA474C83F31F44BB45B4CB2,SHA256=AD031AE2DAD2D073A48AF9C2BDE777BA0ED6E4DD0B5DA0F08C2310331FE76D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:02.661{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D541A1F66390AD4EBF654FC03B902A8E,SHA256=9A33DE6F27BC010FD8D133F977B569A65094F2048910B671D2BDCCCF82B97E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094158Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:03.696{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0399F4255F45E5B2D15DB65F887C3009,SHA256=358B9B56AA26A7F950F29C6A31EBB11A01CDEC108153601F3B94913C85ABF916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:03.708{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CC7E2AD95D8E4F10232CE21BC5AFFD,SHA256=7137BE47E514BA6EC73AC06B19F7B264D2945BAA8AC4FA4B544503A765B749BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094157Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:01.041{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094159Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:04.743{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7962233597A03739A690BAAE5320D71,SHA256=67DA2B4A67CE071F7AF08F8D77B78253A7D1233318827EFCEAE0FAE91B0011D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:04.724{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724FC18758BD7718E4D8B0D7405FED7D,SHA256=9B42BBA0C7CB158496842587919A98C9DBE7A997BDFB350ED69FA7173FDC87F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:01.654{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55802-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094160Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:05.743{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5CF620D0DE91680CA5BAC98BE1B6D1,SHA256=32745DFECDDADA631E3FCCFFD0FE7036B6B27D37B87014E8481D3910AC7081D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:05.755{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B591AC60C5568A0523C985EAC3CD4B03,SHA256=6B4A75716C13406474BA622FF42B65F80CB10AE723F4CDEB74C8B1E2859BB99C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.927{D0132419-10B2-614B-4402-00000000FC01}48365272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.771{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD464CD2797A1BACE46669727317EC0F,SHA256=4F54728D0AD4F0ABAA4FB126E81ED55F7081115B8D6C9291A5D9E28A0BD25C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094174Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.790{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9E92656F71D02506A057FA6CAC141,SHA256=15F72726F20CAAA0DF71D5B266E651016A0DD81861037A63549FE55876E86045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094173Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B2-614B-F501-00000000FD01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094172Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094171Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094170Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094169Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094168Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094167Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094166Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094165Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094164Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094163Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-10B2-614B-F501-00000000FD01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094162Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.227{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B2-614B-F501-00000000FD01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094161Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.228{601D2BAB-10B2-614B-F501-00000000FD01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10B2-614B-4402-00000000FC01}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-10B2-614B-4402-00000000FC01}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.724{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10B2-614B-4402-00000000FC01}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.725{D0132419-10B2-614B-4402-00000000FC01}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.552{D0132419-04CD-614B-0B00-00000000FC01}640684C:\Windows\system32\lsass.exe{D0132419-04C7-614B-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000112039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.443{D0132419-10B2-614B-4302-00000000FC01}50324960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10B2-614B-4302-00000000FC01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10B2-614B-4302-00000000FC01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.224{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10B2-614B-4302-00000000FC01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.225{D0132419-10B2-614B-4302-00000000FC01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.786{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4802D48A3440D55AD64CD7780DFA5C8,SHA256=B337447DE9660756B91C00416F6D763BD834B24A555F20CB57A018A7D9BCE437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094204Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.977{601D2BAB-10B3-614B-F701-00000000FD01}32123384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094203Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B3-614B-F701-00000000FD01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094202Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094201Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094200Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094199Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094198Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094197Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094196Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094195Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094194Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094193Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10B3-614B-F701-00000000FD01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094192Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.852{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B3-614B-F701-00000000FD01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094191Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.854{601D2BAB-10B3-614B-F701-00000000FD01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094190Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.805{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12128412F676407A1E2745CB152DB2A2,SHA256=4EB78162A00DEA5E9D03928736D64B8A92C2A4287345ED8A0A383CE965091FE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10B3-614B-4502-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10B3-614B-4502-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10B3-614B-4502-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.396{D0132419-10B3-614B-4502-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.224{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4727FF6D402A537BCD2BFF9F0FA6682D,SHA256=CD7735F6A33CA0768ED8AE6403455C5B9C70662F867AFEAC7F476577C4F47CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.224{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F820048EA03C740DD8D94013A4EBCC33,SHA256=3F9587F155E975D25CE85CB5FAA08B8087BC06CC8077E030085F634232B2DDBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094189Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B3-614B-F601-00000000FD01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094188Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094187Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094186Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094185Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094184Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094183Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094182Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094181Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094180Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094179Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-10B3-614B-F601-00000000FD01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094178Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B3-614B-F601-00000000FD01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094177Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.259{601D2BAB-10B3-614B-F601-00000000FD01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094176Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.227{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5D5C8BCFE43DDEEB6968EBAAAB2286,SHA256=C4274AE3847B72705001A8E77650FF26B66525561EBD7003F51DEF5A287DEBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094175Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:07.227{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=041F68075A611CCEA82229B9DAC84130,SHA256=69F99E7AC53F85EB0A53999A5F4BE4D28F264436AC9C76B2C33314489F1FDBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:08.802{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510AE3C1FAB796F51585392D3CD8B952,SHA256=CA9F33618EDF75D7B537FA5D280C5966A8A423968FC85FE1ADB07A39F8509215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094207Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:08.821{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE644D988CB34F7ACB574740EBDC559D,SHA256=5046412604BCE1BCFB0925927C46AD6CD8774F8F6B8AFB46A4E4CA738C480D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:08.443{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4727FF6D402A537BCD2BFF9F0FA6682D,SHA256=CD7735F6A33CA0768ED8AE6403455C5B9C70662F867AFEAC7F476577C4F47CF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.049{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55805-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000112066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:06.049{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55805-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000112065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:05.955{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local55804-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000112064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:05.955{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55804-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000112063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:05.944{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55803-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:05.944{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55803-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 23542300x800000000000000094206Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:08.274{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5D5C8BCFE43DDEEB6968EBAAAB2286,SHA256=C4274AE3847B72705001A8E77650FF26B66525561EBD7003F51DEF5A287DEBC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094205Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:06.119{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:09.818{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F73D915084E3B45271391D55D3164BE,SHA256=4AC5DEA0A7C7C18EB04DD9C89A3EC37AAB20AEBFE0E56B9E21676019AACB1688,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094222Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.884{601D2BAB-10B5-614B-F801-00000000FD01}31563016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094221Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.821{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD79AE7EA6996563D6347803B27D7A24,SHA256=8FEC0C601BC9EACA930BFD7A41EA2693F4F2DC08B28B9E0A02BD84685A090B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:07.639{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094220Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B5-614B-F801-00000000FD01}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094219Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094218Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094217Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094216Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094215Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094214Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094213Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094212Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094211Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094210Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10B5-614B-F801-00000000FD01}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094209Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B5-614B-F801-00000000FD01}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094208Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:09.759{601D2BAB-10B5-614B-F801-00000000FD01}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:10.849{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E239E673FA9D94DD3CB33CE5D9830DCC,SHA256=1ED276C5CC0E8E91D3A35E4C38D973DD902B3E09FAD6BED3D21E59DF0ACED40B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094252Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.934{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B6-614B-FA01-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094251Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.934{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-048MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094250Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.933{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094249Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.933{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094248Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.933{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094247Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.933{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094246Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094245Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094244Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094243Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094242Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094241Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10B6-614B-FA01-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094240Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.932{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B6-614B-FA01-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094239Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.931{601D2BAB-10B6-614B-FA01-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094238Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.852{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FE1F2F76B52872B21025A12D9827B5,SHA256=4AA4450E6AFF2DDA954543ADF706B770C5017476D95D09AE10B8DFC1B51E423D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094237Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.759{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4DFF99944D3878181DF2A0736112A6,SHA256=29132B5A0714D650CD8FF02584EE0491D83227AE54B294DDC5A495CD7F8A3AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094236Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.384{601D2BAB-10B6-614B-F901-00000000FD01}35483372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094235Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B6-614B-F901-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094234Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094233Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094232Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094231Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094230Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094229Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094228Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094227Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094226Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094225Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-10B6-614B-F901-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094224Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B6-614B-F901-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094223Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:10.259{601D2BAB-10B6-614B-F901-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:11.864{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA67476EDBD0A11E5DD703C92AC83424,SHA256=DAC659CE92E523576E8131891CD689DDDE235DAA3445B4AA71C8822BDC079B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094256Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:11.934{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46A5ADFC01FE70BD2039F0D49155563B,SHA256=8590AA1255C35A0094181BA10718160049CFE36FA1747D5E248F589BB9EB0653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094255Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:11.931{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094254Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:11.853{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5AD475366A0CC31C7A2920F8F16A96,SHA256=806E920DDA8C0D434BE98980F15BB0BF185475B4D3B8763E866A057CCA90976C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094253Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:11.056{601D2BAB-10B6-614B-FA01-00000000FD01}6403668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:12.880{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B441C24A349DAE09AA542F494417BD4A,SHA256=54069E7719B6E94107772938E7C99D55CDC874545FCAE2797F67A37D2E50C16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094257Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:12.867{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E49D76F75B5E3E496F2DBAE8BF43DC,SHA256=8288174EBF554FE545C9AC325C504F7287611C2D56E16032CD628EA4216F9C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:13.911{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD4813194EA525A396C7D2B988D21E0,SHA256=DDBDB9C401CBEF40A15DF153CDC7DE1947D6827CED8096D841BB47568704F153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094272Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177FA03D7624AA2A782BF7F1492469B2,SHA256=85138D8CCCB79234B2503A4C77356AAE3CF921BC5CB3E8C082020963815696F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094271Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:12.055{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094270Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10B9-614B-FB01-00000000FD01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094269Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094268Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094267Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094266Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094265Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094264Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094263Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094262Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094261Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094260Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10B9-614B-FB01-00000000FD01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094259Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.008{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10B9-614B-FB01-00000000FD01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094258Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:13.009{601D2BAB-10B9-614B-FB01-00000000FD01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:14.943{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3971CF3F2EBF99A6F5D4D3A42B386FCD,SHA256=384117C79CDAD35AD47CCABF60D53D7159F1B560CAAF70B55D3415ACCDA7477E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094274Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:14.946{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A4C7411964BABCCC7F77517C6C1328,SHA256=CFADAB417A900449F3F9AC4440F0CEB8DFBE1F1244712A182A43FA39F1DD1577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094273Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:14.008{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AE38D10E095F851D97AEA68B92D2E1C,SHA256=5B40FEC9A0D8C16CC3181C0454A2EE7C526DE965EA3C96749365D6CD7B30F4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:15.958{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAD12F3C22C65AE94BAA0C1E9923260,SHA256=A240E0341F1DBC815B4A0361C2126BC43DEBCE0B1B3898FA562FF7ED4F8853ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094275Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:15.946{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37751E8F0768DDFC4968D9CBE974396,SHA256=1E877F4216BA3EE4A6D3C61DE0D9B572FB1B924584D9606E6F64719BCBF71759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:13.576{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:16.958{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFE9ED93A6BCF0B69EBD074BFBB1D0E,SHA256=F73B2E843328C48910E62B671A1F3E72D21D6DF9974C258DC05A39BFCFAA34A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094276Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:16.961{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB82899E720A3C8A9958C0A8B5EF650,SHA256=3D7724422C543858D14E7EBBE1D3DE14E50F2F9BD735FD06EFCB30778A299A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094277Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:17.961{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF247F657EBF36265AEE7C49FAE021,SHA256=75147871CBC00E60F20326781ACCD422AC51BD10F9A965385CE15A067271B164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:17.974{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD43A7D17C652280C23F09A53A6D3AA,SHA256=442FCB25D4A4E7AEF058F5BD023356782443418C4FD242DA8278F71D3A828BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094278Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:18.993{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F0E75FF9FF910E185BD8CDE42C3D2D,SHA256=F80CAEF40D1E4248CCE9795E1D9823903A97877FC208B53CFB49C8CB578FF9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:18.380{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2ED67E3987A201130EC8A5A21E51EB5,SHA256=F214A07DF890A7D69CBB825EAEDDF554D30AFF1909940DF0C72F9247499C9BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:18.380{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD37DF455DD188B6B19ABCC9B904049C,SHA256=6C8C59038A5A07291A0FF57127D9AE37B8BDBC4F946A1352C76CEA201D4884C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:19.021{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426180C43ACECE3E2A497B491E24B825,SHA256=252C70081A8B751F1A33BA7A71136E5411CE9D9C39E0463907C545927FEB571D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094280Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:18.040{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094279Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:19.998{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5497FE0A875EE7AC09B96660DCBCB33C,SHA256=EFD4003A88D5D432BC10182E10CA6FE94D07B181CA7D8D09E665BE5857C20D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:20.052{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27095F6AE4769788CECCA96AE044E264,SHA256=454B68CFA3BEF0F26778520DD3CF5F177632C5BCB0DD2E1CA39CFBABF3A969FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:19.576{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:21.099{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04B553DC4977970695C4BE2CF888C09,SHA256=225A93BD3F6326BD069B0B48EE528DCB97996A4EF12875C21C0ED0AABA059777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094281Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:20.998{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859CF9D83395290563A609EF8BC2001B,SHA256=56593B328B17E271CC9E8517EA44424EA5F95E596972002F6AEF6602228401C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:22.114{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A48301885AF1D8361D61C6EB8CD8F45,SHA256=7CFD7FD4A45CCE86A05EECA17DC64DBB91D6FBEF1891D390926A49BC59024B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094282Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:22.045{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9424A408158DEA433BE307E85386CB,SHA256=9F5EC822DB650E1C6B9E4A7B2BDE9AAC53E6BA634B4E06CAC09E03023052E119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094283Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:23.092{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E53E261CB0C57DD84972C253A4876AF,SHA256=7F6669A9FC6CA3E9C6FA1CA8C247E183B7010193FE3CD0218DE4F2EA9DCC7192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:23.130{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D8DBC0E653EA433AF210A5C16F64AD,SHA256=1367CEFBA5DF5878D9C189A5A2A552F6E64D6A3A24038E6FA3F41D0487970B14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094285Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:23.077{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094284Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:24.092{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DEA51E8FD0A88E5B2041BF84C483C1,SHA256=E39235224188119B32EB9DD53158C0BDF6003351EC2F13A9C92F853BD14B3A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:24.161{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F1A0E2857F6D042111C263D1A1738A,SHA256=C220311AC737DFF7684DB6E84782CA2BDA8429A867D56BE6F21DBF367D6DDD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:25.177{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D929E9E2E82E6B1A15CF3CADF4C70778,SHA256=285F4AE738363B063DC3C53E3CB7003878309E9724A47DF316B918530D160283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094286Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:25.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7847B79C88DBA099BE959494530FA0A6,SHA256=215EC675AEF9C979C613DCD006FEB156DC7413A92F73749DD18B88490B01652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:25.036{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=70EF17CCB51E964C8646BD5077B36943,SHA256=6337836B861A1BBC77661ABB2D5275E9EE0454D812D5447DE754EE8DAD381105,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:24.607{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:26.177{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86872EB9AD2D4C4B81D3C18615669928,SHA256=D1FF2DB3C29F6DE70DE129311F174F50610B7D1EA2E6CCB834890ED01595E7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094287Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:26.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857CA314883ECC272E19915258648DA0,SHA256=63A8F188BB40F122242A880212496D667847657432095B1638B2C7353A95E838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094288Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:27.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAD823CC2AD9E34D3B25632C57D6539,SHA256=5AACA09693305ED056F5883CAD65E393EC25AAC7930E8CFD444619C498A68B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:27.193{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD0BB9AEAC94C20045F05DAABB4D90D,SHA256=777C8EBEDCF14F4D4C4A64EB6CE9EE3F1EF96A2C1F31AD41E5DB5FB390EC1039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094289Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:28.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0812EB4ED146B965A59817517C97DF,SHA256=4AF817647752C5D98FEF9DC52157CC12EE0D267BC14689F8340C5E3A277EC24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:28.208{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C193579208648AA3F3FD967577EC7873,SHA256=84552A5AC167FE8CECBDD6C0277A8EE73BD4B6112CDCAD276D005E6352327282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:29.239{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BABC1AFBEA00AE26A0FD05CDCA6998,SHA256=157680F967EC217D6E060E1A8B635379950FB8666679F9F814E41169E3561B60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094291Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:28.218{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094290Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:29.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEF4457C83A0F530860B4EB5AC6F7E5,SHA256=D4BEC476F400821003786B31D2252127E295256DAF43FF86F82E32BB5A87DA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:30.286{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867486339CE32535164FEE4BA646A0EE,SHA256=74D56208A63E241DFFB98D16C22C2EB11999F75AAAB642E6E475504245FAC534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094292Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:30.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625899A90CBBEE90C2C90BE6AD98FFBB,SHA256=43F360AEE6FE17FEE3CFDF353D9D0469C7E3E3490963FAD0724CBD98C021074C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:31.302{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D200C3AE5731A2F63044A794A05AB7,SHA256=EB05FC8ED536E14543469858BBE03EBCFCE07432C21F1D8F0991E5C866E00ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094293Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:31.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F29F8A32FAAE0FC41F41E0D220C782,SHA256=8B9AB035ADF526AEB08953450B9CDDC211DC3E25BD87271FEDD6212D34F9AEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094294Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:32.139{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB1DEBCAACC585FB22BF18B36288E16,SHA256=A306E1A3B793148F12CC45F95D2D9E1D4BE2EAA5A7F9FFD10F50AC488A47211B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:32.349{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F514163892B88098E54E2F39F80590CF,SHA256=DFF41E6DE44DF451595CECCB46CDB87CC9BF05C37F83E3C4B9F7C3317E9B3B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:29.685{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:33.364{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8C7F6C388C36D229B74E6B69D94C0E,SHA256=079999FBC7FD248F9F0623EA6DD863A515C02888217722E21AE984C8084DD61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094295Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:33.154{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B8DB57D38A384F9C3DA4C411819D3B,SHA256=85CE2CCF0DBB9D172D19B91EDB555CC77FA50E995D157EE2C3B9AF26ADDB5F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:34.380{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69494ABCF93CE22D078BEB67B81E747E,SHA256=D9344EE46ED86BA78F5B84BA4CCE3F251860C7D6E8F22439818E8FF5D02C263C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094296Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:34.170{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A180B4A1C81F56DA248BAF79C23E886,SHA256=D6A5EE8A3902BF2686F7FAF89D45C35898516913EA6A6A317337D74C80155C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:35.396{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DC4611D66F46303C3BF75204930E26,SHA256=969B972CC109E08FF2FAB9DD9BCFA8BFA4F9D442BBBD38F057F1E340BA3D7306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094298Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:34.124{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094297Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:35.217{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81111E2F7429AE5ECAA659F2F25E502,SHA256=ADE2205BE4B508B54E07587A221A9A63F7CF3B06AEA8CB5CE904FB52952D403F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094299Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:36.232{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C599248070605E71628A802EC596E9,SHA256=48A0C00DBBD58C8A6C0AB97BB9A269F543A1965850450BA6C34AC1BFACEA6DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:36.880{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:36.411{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE7765E8BC5B34089277A30C5E8A6C5,SHA256=1055B2D8BAB4F11FFF3900D630187C985972547C80A7E0213EE8A1134314A05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094300Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:37.279{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D05BE66CCC11DB6F78902E1323BCBB4,SHA256=42022E9C8916548ABCD47A18BA1B916BC2C43E19729BE780DFFAEB5E9EDC6161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:37.427{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DD05BF76DC222949B57E28068EDC22,SHA256=025B77841933811428A5A87F525E2E08122397E109B0A7F82ED18532A992F6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:38.443{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D0309CB164196D6E0F6D484112F75A,SHA256=31C906BD52DAC0758E3C24A632FA3F8CB61628213019B08FAF53D8E021200B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094301Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:38.311{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B447E5F65E3161E2B617B77B1A055C8,SHA256=959A58211DFC6C751B257F57B3E6F10B7440DE22C99827AC11002A0AFE27C50A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:36.357{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000112107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:35.670{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:39.458{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D6AEACEAFCBAE751322031390E3959,SHA256=036DB858F8C0CAD200EBB02A2BF00618F3A3F57378C061FC35C0F6542A292B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094302Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:39.311{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7496B6489E0BCAA91E7FB445774756,SHA256=64DF682B9B86076ECA448A7DD17E0FAABB0C9C7086C9014C5F9E62533BEA39CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094303Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:40.317{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12308DD6BCA3869D006A94A9AFDDB42C,SHA256=4A2BCC823A352E2D168004C94577DF1B6FE3108BA5A7302836B473971F646044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:40.474{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045C1886E61104876F3CA72E35F1028F,SHA256=DEBC092CD40637B98BD6DA1FDE9FB9DD94D680859FEF2155588349EA3B411755,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094306Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:40.068{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094305Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:41.833{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094304Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:41.317{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5286A53AEEF642F272457D6969827B,SHA256=F6CAA334A4E37AC870778B0F026154C77D10DCA03171760618017D03B220CD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:41.489{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA61B4B2F72BD92307E7D1D2D40BD85F,SHA256=E8EA152BA8FA5293C2AC6E353CDFB49F9B91A153204858C9FD59C78F6C659C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:42.521{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A841DD2B103734D14DA0B8EE5492DD,SHA256=A819C05226BD3CE044DC05E1FE418D1DA147398D97EEE5D0D1E859C769CB91E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094307Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:42.317{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D9BAF40F49DD442334AA578B35156C,SHA256=DC2163F360B4FDB674D88A93F05C1AA69CA9AC5124B997DFB3F564C4FFD359D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:43.536{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BC3FEC9CD6FAEDD2B03B9914D97872,SHA256=6D65DBAB91E4C49F6694E1F19253EB2AFD9034B759AACB1B70C05ABCE2FCFB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094308Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:43.317{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7669995B05A3BDB1684BB4D59706997D,SHA256=FD8036AEB115E00E29BEAEFF86BF28F4AFA43D7C69BF2F92EF7E4B451306D646,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:41.669{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094310Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:44.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA90BC31E6A1B8FD1397A2F5C5C78304,SHA256=1728F80DFB80B5AC38628C2193C3F6FDDA0692967C27B2EF563F7DF72186E408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:44.552{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52BF8E8008DCE9AE2E5CAAEFCDF7D42,SHA256=C22723C21573A54BF9183343D08A3B2F6A05103680109E4E32A78B0D89CD8D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094309Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:41.771{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000094311Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:45.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6B30CFD98390D65CED113D86BDE7F9,SHA256=F4FBA9DCB42E3D8B5E7E972A99DE148ED500BBA18D483D0FFDE4A99DAE5DB847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:45.599{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6657C50B0FFB70C470D3862BE2278420,SHA256=7E27CDCFD7804BC034926A2527C45E04E2FCEE64ECEDD5553FB5BAE027370BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:46.614{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC7B1285E740317F037693F9C485E34,SHA256=14616662FC2B12811AA29FA89AD2F1CB27AF1B3B4E02DAC47556742E9D59C15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094312Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:46.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D194B4CBADE6CBC1E4D66F8181759C16,SHA256=2C7DBC9CA5EAC26FF98CAC8E4993AA9C0D677C1D56DBDC60573B0F1B77084F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:47.646{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D769610A8459430B203D8C1684466B5,SHA256=39B026AA4446739F5A80C8C08F8570F337760D16FA131A3A62CB6A1155100380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094314Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:47.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4482087BEE98277078B5104744CC30,SHA256=3ADE15676B975C8F69E1617AF831EADC78E53A0665324A51C9796A4F441AFC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094313Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:45.177{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:48.661{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78AC3163200FA698D05DE25C8BF2CD7,SHA256=B1707EAE090EFEF3B4650D1CAE2318314A553A05E462FA47B12E4D773A493556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094315Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:48.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403D2ADFF36BFED337B1D9B5942FE25D,SHA256=933B94B5165D1E2DA993952E4D1EC89178DFE4C4AA861662608726D39D52C327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094316Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:49.395{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660E5BC91007C138A47359C6157F878A,SHA256=648A35AE6735E1E98C7F28A65335C9232161784F0D5C5FB45B5C0502547C1DD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:47.669{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.661{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BA0E58B11FB22FBB5864451F3F2EE7,SHA256=0D67AB67E597E74A80C93098F698ED17B675E82C255F8B2B612FB70AAB3C9741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10DD-614B-4602-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10DD-614B-4602-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10DD-614B-4602-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:49.599{D0132419-10DD-614B-4602-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.692{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D4A02AEE60B6E6FA6A0157529DDA08,SHA256=ED4CE0F7E7BD5B43B5988335E046ADF09DAA2A5556EC5849A84B3FA4965DA9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094317Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:50.411{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3E9C193EB735D9A7E94411A4D4B08E,SHA256=E9E91E9853288F2EE0B1338710DA46D8538D692880F600E35DC9860F2C704408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10DE-614B-4702-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222F4B2696E2C39189F18577635EA89A,SHA256=3B1102F9D3194ACD36A4E8997C988C2C033EB15B661B7AD48654A7C21E1FD6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2ED67E3987A201130EC8A5A21E51EB5,SHA256=F214A07DF890A7D69CBB825EAEDDF554D30AFF1909940DF0C72F9247499C9BA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10DE-614B-4702-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.630{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10DE-614B-4702-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.631{D0132419-10DE-614B-4702-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.708{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543A5C9B6AF645D23A8DCFD1EDE0AFC6,SHA256=4297192ACD231A92EDFC874B30462457351E2C42333921614E2EAB9123750212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094318Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:51.411{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0913FB0D2F54FF74E4DD1F9D84440D,SHA256=A4687F36856A84CB759557AAE7976227585E2284FA6877BF80F3BB045FB035D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.677{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222F4B2696E2C39189F18577635EA89A,SHA256=3B1102F9D3194ACD36A4E8997C988C2C033EB15B661B7AD48654A7C21E1FD6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.318{D0132419-10DF-614B-4802-00000000FC01}49246120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10DF-614B-4802-00000000FC01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10DF-614B-4802-00000000FC01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.130{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10DF-614B-4802-00000000FC01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:51.131{D0132419-10DF-614B-4802-00000000FC01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:52.724{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B83C349FD1D57B4179A620F9F30E500,SHA256=8DD11046FAC792F9BDBEC9D0C926F2E5CA65668ABDCCF22FB0C7B5AA6007913F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094319Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:52.458{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8E4F8602CD47EDA963A60D8FD11E7D,SHA256=F68959B772D5F6AB3434463BF3492A7EC60323EAD27D7EA19602583633DA0CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094321Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:53.458{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667AA4EDD474F35A8BE2D61D8DCB7590,SHA256=84C4F0423C57D2C0D0659C96AADDC0A0E078122F34FE718708073C7B4AD90638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.786{D0132419-10E1-614B-4902-00000000FC01}54284632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.724{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CD42C285824A9E27CEF2C50ABCCC2E,SHA256=EA300B1644A6D3BC9692A1DC87D9C41FE65B9580F8BE516C41E55C65F284CCF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10E1-614B-4902-00000000FC01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10E1-614B-4902-00000000FC01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10E1-614B-4902-00000000FC01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.599{D0132419-10E1-614B-4902-00000000FC01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000112155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.451{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55815-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:50.451{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55815-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x800000000000000094320Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:51.178{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:54.931{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-049MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:54.757{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B188C12B1342E4CA54A8E76253ACFF,SHA256=837912942417EAD50926E52E5143F65AFFEFC93E77D50841F1CA31EA99E27689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094322Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:54.458{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A960D107D6B7000CEF966604750CAF,SHA256=E378644EB9565DA4F655F83D428BE63EFE456DF7739D1EC00F08AA32C822E3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:54.617{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA79F16290C9802B016B942B1E3EB794,SHA256=F57D7113B59CF253434229FC5C4911676667AC4B99EB89F73A5A82FCD1D36B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:55.938{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:53.575{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:55.780{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B1092C72C134AE73CE22750801DD6A,SHA256=68E4E0251086770BA2C526412C4438BC01A5430CEF14639474D9645181C18721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094324Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:55.536{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7E24D534599AD5CF6A0621BFAFC8B5,SHA256=F9DD9ECBECF989B586917AEB724C04B65B357A36A0CD6223AED90371D17041BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094323Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:55.255{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=349C3317C13DC3487FEADCB6EE771444,SHA256=C7F020069DCBF0AD94F954C43ACA536428A9ADF341237D2A3D17F4C4586A6CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:56.798{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53E0130CD6B6C478A25900283A9CDC1,SHA256=38167ED2B1D8BFCF13D7CC04FEEB285022395BF8AD84509752D871E891F79AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094325Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:56.552{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECCDCE3F39965123AAC0CE86B397753,SHA256=E1754B926841ADF82F16B887B3A1D59FBF3156795E594EF725B79B8F0697EEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:57.813{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E39822ADB56037ECDE1FAA4008EE2D5,SHA256=C7020514B1546A2B8E7B08FA357E07E61EE83FDE6D1C5DC6D142A0E0BC7E760E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094326Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:57.567{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4D6B7EDFBB50567EB12EC03FF69CB2,SHA256=75A019B663B462424C1B434EA804366192EFE85FC8DFECDB90BE4D30BCAFD57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094329Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:58.630{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE32215EA3D3158C03AD0F886F98882,SHA256=63B4892A12261D90E6FA3C392F5FEEC0C2E887D0874E3F39773A5F2B77256FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:58.829{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0866F978B6342362F3A5CC663C42EC5,SHA256=A2D97BEB9B910F9AF2A8E7DCB8D031A2909A25C8B6C7A19B222D94E856DAC275,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094328Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:57.021{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000094327Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:56.896{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:2ce4:3008:f5ff:fef0win-host-301546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000112175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:59.938{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BA091F1AC90ACD01112F7FADCD0962,SHA256=98E5557C7626A3227E63FD67B46E0C841BF1B1032A61F71209CDEBB1B181240C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094330Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:17:59.645{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725A4DEC440EC8686EAF0BAC47E07C78,SHA256=14B2D1B8616BD8F279BF1D55C2FA72AB7CECF88875E437A0E6B0FA7BD333F4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:00.954{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D527B54D7ECD862119C93773F8B7F3A,SHA256=EC51D4B3DD602C15B1E6BE3117EC3CCDAADD6CE6E63EF3975D2733C45582C57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094331Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:00.649{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DA962BB6E149BBCC372A16EDC94F88,SHA256=D904247FCF4A0C4E3E58A78CEAFC39D8FE09970BB452680B61445D67FD112924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:01.970{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE7A46C1725EACEE59139A14B8BF9A8,SHA256=F6CE096B8242C727684339A5926061C0E7545B858A91D5FED6F6721366369681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094332Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:01.680{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F93AAE848A164F28DC34B50AA69FD7,SHA256=D87B807B3F7BA1550A367344672D47ECECA47B248CFC1ABA537E03B57F89FB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:02.985{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8769C378367E9FF40736696177CC655F,SHA256=0939DB8409D175D41EA60442191549136CA88DBC548798615D91DDA7A8174C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094333Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:02.680{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8C1B1207CBADCC9D4315E13159D466,SHA256=33E7294C28F7261CEC7C3CD4280D91A16F1CBE8248589930A02EA28D55A560B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:17:59.571{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094335Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:03.695{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D61BB55450FA2BF8071E8834363DE45,SHA256=42BAEC605E908617AB7E207A685EE0B3F6B3F904E6B32E617B9D028B8C94DE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094334Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:02.212{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094336Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:04.695{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5045BFBEE777D0D1AC29AFB7704DA99,SHA256=085CFF8296E66818574CAD26718C4FE9EF4B0B75DF9DB541D75D4EF1C0B020A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:04.017{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C62447AF85BB966F90DA0098AAA77E,SHA256=00B2A899A7F913BE2B8A77E6CED6FE4CEC31A595750B64CA91D98E615A326860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094337Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:05.696{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959D8540BFC70971089BB80D7DB0607D,SHA256=8E3A91A7E6123739D4C3E4BC0FAC69A801C0919AB4CF6E2CB57B06653B5B98DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:05.032{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583CBE5FF67582203452F0286F2A604F,SHA256=62EA29D47730A1BFB6C83834BE9956D5120070F62E04FD3B8E6FBC6361ECEF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094351Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.711{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608DF2FADC119C6C86F8D61B1304EBA4,SHA256=85AAC28E51B626A66B90F8FBC8C7113448C47D6BA17395E566FBABB39A97814A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10EE-614B-4B02-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-10EE-614B-4B02-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10EE-614B-4B02-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.892{D0132419-10EE-614B-4B02-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.423{D0132419-10EE-614B-4A02-00000000FC01}51364140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10EE-614B-4A02-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10EE-614B-4A02-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10EE-614B-4A02-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.220{D0132419-10EE-614B-4A02-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:06.048{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F337777EE321D1422296EAAF546295A,SHA256=553FFCE60A88E70430820912669C3D8277E370C20090356A23ECB3000D77FD3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094350Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10EE-614B-FC01-00000000FD01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094349Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094348Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094347Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094346Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094345Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094344Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094343Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094342Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094341Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094340Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-10EE-614B-FC01-00000000FD01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094339Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10EE-614B-FC01-00000000FD01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094338Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:06.227{601D2BAB-10EE-614B-FC01-00000000FD01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000094381Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.914{601D2BAB-10EF-614B-FE01-00000000FD01}34322488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094380Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10EF-614B-FE01-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094379Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094378Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094377Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094376Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094375Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094374Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094373Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094372Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094371Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094370Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10EF-614B-FE01-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094369Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.774{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10EF-614B-FE01-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094368Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.775{601D2BAB-10EF-614B-FE01-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094367Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.711{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FA67527EC0902BB8219A0B61E7C436,SHA256=34661CB0D1F78FF51728108F0A130B30F2A6DE2A6CE096D0CF40A8193629BA53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-10EF-614B-4C02-00000000FC01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-10EF-614B-4C02-00000000FC01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.423{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-10EF-614B-4C02-00000000FC01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.425{D0132419-10EF-614B-4C02-00000000FC01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.329{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E45CF1435D91C492B93F72FE5AA439FF,SHA256=2A2AC9D9F07DE7C3E06C02D03C7C118A950129AF370EED567B5960D2BDAC9F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.329{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603F77F8A27E0E65101E252231B06A15,SHA256=94AD0B1821F5F84F758FA46FA15985FC417E0208F897939BE23CC2217C97AB1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:04.649{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000112201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.063{D0132419-10EE-614B-4B02-00000000FC01}54085768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:07.063{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90F297D6D875A94613EAC6A40A48856,SHA256=72BE67AC9AF5AFBB1755EC78C2FC549E4FFBFC3917F6FE6641CADAFE914A5D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094366Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.274{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=348C5825DF051FFD6447879BCBC988C9,SHA256=284E70BF4B780AF60B631BF968543AA49F376AA569ED227C09ABECDD63F43208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094365Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.274{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=207A70FD5BB1D9F6EBF38A2C81E014E2,SHA256=4E8B2DE6C76EAB4DBAACE79A31FD914979AE397478B767874FD91528DF60BB09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094364Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10EF-614B-FD01-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094363Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094362Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094361Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094360Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094359Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094358Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094357Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094356Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094355Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094354Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10EF-614B-FD01-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094353Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.258{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10EF-614B-FD01-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094352Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.259{601D2BAB-10EF-614B-FD01-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094383Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:08.774{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=348C5825DF051FFD6447879BCBC988C9,SHA256=284E70BF4B780AF60B631BF968543AA49F376AA569ED227C09ABECDD63F43208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094382Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:08.711{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFDDF1B9117F1407F9953A3DB820D9E,SHA256=24D8C6BE6D0A25DAAE08417578789BA5585D5C9FEB61779FF53FD3D9267FCEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:08.438{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E45CF1435D91C492B93F72FE5AA439FF,SHA256=2A2AC9D9F07DE7C3E06C02D03C7C118A950129AF370EED567B5960D2BDAC9F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:08.095{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30015EC28F6A06F50C568A605E05288F,SHA256=92D12A5E38088503CC249C61B4B8D6220613C950E05D07F8E6088DF5F580E63C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094398Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.883{601D2BAB-10F1-614B-FF01-00000000FD01}38883524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094397Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10F1-614B-FF01-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094396Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094395Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094394Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094393Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094392Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094391Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094390Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094389Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094388Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094387Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10F1-614B-FF01-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094386Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.758{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10F1-614B-FF01-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094385Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.759{601D2BAB-10F1-614B-FF01-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094384Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:09.727{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E0E3C3CFC13E2FCF7C2F7CA60D978,SHA256=4B52CBBD402F0FE4B1CD2365F76D24D3177FA4F16F0698FD04FA8FA5FE7B9D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:09.110{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CDCFC7E59EFEDBBE55B04FF1C19CB,SHA256=170042B0F2A392F3315CB56E0E9BA12A2949434E8276C4C62150EC1C89480EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094426Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10F2-614B-0102-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094425Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094424Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094423Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094422Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094421Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094420Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094419Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094418Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094417Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094416Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-10F2-614B-0102-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094415Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.930{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10F2-614B-0102-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094414Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.931{601D2BAB-10F2-614B-0102-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:10.142{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C632F24E5E7C11379E2CF4DB4A2674E,SHA256=859E35F71870794CC3DAB3BEDB1E166EA6DC1F517FE84F172724180B627CB018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094413Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:07.994{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094412Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.367{601D2BAB-10F2-614B-0002-00000000FD01}30763396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094411Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10F2-614B-0002-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094410Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094409Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094408Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094407Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094406Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094405Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094404Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094403Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094402Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094401Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10F2-614B-0002-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094400Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.258{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10F2-614B-0002-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094399Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:10.259{601D2BAB-10F2-614B-0002-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094430Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:11.947{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586674D3DBB36576F15FB6BA3744B838,SHA256=872175621770DEACB6C41910956B64E45BB558FCADD9F510A978DDF9FBDEAC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:11.173{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BC85132051C46BEE0B2FE5B271E5CF,SHA256=64C070A88E273F9C383446458F0FD6C51D263B7617A7F47512B1587CB8AC9D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094429Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:11.227{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F18C0AA64D58E5F1D9050FEE4B946D7,SHA256=E32CF615EF336DE7040FD5BE3A7892A0F1482477A6900C0B14C202DE2127F669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094428Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:11.196{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFE47D5D0D942C1ADE137240836CD16,SHA256=1BF0B5ED1625577362975811A0A516292F3274A039CEB016541D3590347C8ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094427Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:11.055{601D2BAB-10F2-614B-0102-00000000FD01}19802128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094433Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:12.951{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6ADA42019852D395515FA051BDCF11,SHA256=0D1B51EDDF2FC013895E81A7F648E04D7C27737F4A0848BBFE63F40ABBE85D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094432Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:12.452{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-049MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094431Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:12.166{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E7D5E1AADDE3971DFE582A3B6BBBE6,SHA256=859952D012C46705844F4D570D26587D378BFB6383E9B66FDA418CAF34A63268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:10.602{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:12.204{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A514BBF2DF23DD01E62FFE0E111DBE,SHA256=2ECC087BEE4C40AB4C15F910FB2C8D34051FF04A7A0B2419EC7152F3F2BEB86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094448Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.967{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69263993647D70DBF30190398AB15AFF,SHA256=C8A8F4AA18CF45B646973E357C55A2CA59A393EE92A4C5556578B38211FCDB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:13.204{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F990803CA0AC150F69C563EC46E650D7,SHA256=7BE77E68FB12612426237092D685EB2C5E3125EA962BB6995520EA3C7A0E0540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094447Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.452{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094446Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-10F5-614B-0202-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094445Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094444Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094443Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094442Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094441Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094440Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094439Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094438Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094437Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094436Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-10F5-614B-0202-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094435Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.013{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-10F5-614B-0202-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094434Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.014{601D2BAB-10F5-614B-0202-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094451Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:14.967{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532823D8CD3F99E238B79BE7226FCF25,SHA256=CDF6422E8F6B947D7A924F89947C897BBC78FCFD65C3A43D10FB84D5396C8BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:14.267{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF87AE4906616D7A37F235D063CA1520,SHA256=EE1772061207C5557223A651320B451D6FD9C55F708EC48AA2637FEB7F3845CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094450Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:13.046{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094449Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:14.014{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDFCC1CC53049672E93BF38469CE9D88,SHA256=62F8F35359FAD4A4F8D9AC9E264DC7208616110E8AE5930F118C79B264EB37F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094452Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:15.967{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C6A33AD9F06792A086443EE7241151,SHA256=D3BF3A145257BC54E0910EDE6A81681A0A43E3DED5F73E0B67B19C1A4D23D7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:15.282{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDD0F722557C7525F0D77089223224C,SHA256=F43EC8144D18F5CE98AE6BEC281692EE0D65EA646E1D163526A2FEDD75460CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094453Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:16.967{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71465A0B87B7747496463755332ED2C8,SHA256=E521F0D364712DD9D61C0D2FDC145709A46C8BE6299283157FE83CFA3E57A5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:16.345{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579161BC7D30C0618F1BFB82C9BD278A,SHA256=26086B0B199DB32CC753BC1302F8EE6B6E9A5B0508C799016DA0D80897FA84EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094454Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:17.983{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C4E15BEC693FEA9AFCF5AF94EC7347,SHA256=28A5FD3EF4B6F6721AFA6022C6BE6BEA0B40E183181FD0AA17C9F61E060AA249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:17.360{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC9380515F4DCBD5DD771496A391326,SHA256=4160FD997D4DCB09F15E28518B2FD8EB84E228C3A3CB448573AD0B8A10696075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:16.540{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:18.376{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486D4D38FF4B2C82EEA0A5D2F9CBDBE5,SHA256=E1347DA435DAA0B7F12D20936918FDDB434A5A4199FA06DBCAF15578DC670F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:19.392{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A3C081EA5A499656135FF029995C5A,SHA256=BF75A5F3E771EEAEF9B5E329BB229A59FC9F5B15E9E2DF54C445069B6A69D9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094455Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:19.014{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FAE69BD9E4FDC4EAFD40B0AB036115,SHA256=9BD12CDB5318152683EC4716B5BDB85F5E1EB3F2B8605A0D322166222B93FE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:20.423{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FCDF8131276ACECEB3F76062772A79,SHA256=99D6EF250A2804A56D129FB9ECD9A43CCF75775FC0DD6C9B0214C911984D72A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094457Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:18.062{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094456Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:20.021{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC723904FD3947903E57FC2FCDB44E44,SHA256=2190841CD489A50989CDF436CCD720802943721F7F5276D0121DDFFD9E24DA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:21.438{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB1C7ED182E2E6BBCE55BF6FE44EB26,SHA256=B4DCA05CE156EAC46C3E8B7C66C46F7F18F875B9BC0057A647AE0AD1EEDBB995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094458Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:21.037{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C568A0F197261B0EDEA69516E381AEE5,SHA256=2E95FE768970240AB9090B7B37A411085F1632D8D860286F496FE235E5F17A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:22.470{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF24A49EE9F10670DAC2E567E7BD87C5,SHA256=E1686654FF49DA05C95C1EFD9DCE89221F45D3B7B029CB67D73D968B80A37ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094459Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:22.037{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB48280E9263810F48672AF4E428C57,SHA256=82A609C35ADEBFD6A8A41152BC68F91495C865CA727C82CF3E53B744A2A22BD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:21.649{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:23.485{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B335A0117C2905BAE674C06138B26118,SHA256=DB0F17A60F6246C616DA60F22B520BB3AC5F7CEFE397EAF98578ED46831A2D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094460Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:23.037{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3864DF10860078779EB13F1D7F3C25E9,SHA256=DBBC3424536734EF9FB91820BD9B785339239AC94563618684B596089A1A645D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:24.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE098F580478F12BB41F5E733EA41B,SHA256=CA51389451667BC37F0E80D3BE291EAA1FC5CA64E86B2DE7209F55EC9C1C9FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094461Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:24.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA9ACA4B0A5B49C6192D7C484488091,SHA256=6F06A87FEE39E2B13778063DFD9A958BD4D209CEC1631B09AE647ED2A7135F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:25.563{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BF171734E8A51382AB3C2B50779D33,SHA256=79BFA18772687F8B0231C4CF71B5FE25066127108D31A407311B15D5618A0B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094463Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:25.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175A86B6E253863713E26D5D41DDF48,SHA256=CAC0942E955F287ABB172BB53475371BF0CD808169D92293331AE41A73A0D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:25.048{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5695CE9CF7431A77B8F792CCD3F9848A,SHA256=8CE12350259D7255D1937E59B7F7C8B1630DA30A0FB3FD4B6F28712B94D9DB8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094462Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:23.085{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:26.610{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07FAABA74DEDA6C70998502CD56ACFE,SHA256=BF9848867A85C8EE4D2E02DBF3D33EA930AC5573A83839517FC40D15342D236E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094464Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:26.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC97951F020BC6FD120FCC4A61DD5DC5,SHA256=1156E4FE2DB717A9D46C5C71B28467E763D367135A7D508427AC7E381D48612D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:27.626{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78DDB5932949B24DBE5E1FB54B88DC4,SHA256=1F220676D4C0DB2EDB5DD0ADE80E3A39E42E99EAC77E5E8F31A70A098D3E2DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094465Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:27.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704C38ECF505B958963C295B6FBE9268,SHA256=98B17F3BBAD7A3D40D628AC92101F7F0150AB7B67A6386C169003014FBC61D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:28.673{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DAE29599F8883F5F5B7D211BEF128F6,SHA256=8A2AA762EFEB336A070A602DA2176268EC597CA6D3E08E97631E558F110E403F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094466Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:28.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F37939B4AB4712FDFEDEA469E0CD654,SHA256=2136E9B9D76CC5E8C246BC577164D1F379B1507B4E1D1237A458002D9F109ECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:27.680{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:29.704{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D52728E5127CF4D539D0508266F5CB8,SHA256=75C9B5061601B226ABE841A5CF8AB301FF54F88E497B3B27EBBCE78232915C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094467Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:29.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872EF2567FA61686E6FC4CEE137C14E9,SHA256=45A989AC0B1E6E9F8E9B6976BDF8512169EFD4B1BEE6534BEE93B3366669BEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:30.720{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B19DCBD94C2BCB2A18D458A6228D326,SHA256=374C4B70570AFAE8B74EA937AF0F325A627656BEC788A0D017026792048BE53C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094469Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:29.007{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094468Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:30.177{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CFF24B7140F06DAA6EA2B0CE692D12,SHA256=B593D1078FF92AE593CE5E9545FD0CEA79F67A9C759C643A572DCD8325EF4E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:31.767{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406FE4621983732DB035CBED366A38F8,SHA256=163B872139FA814BA043E5E714A717DEC5369AD91FFA72EF2EDA2F74B456B9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094470Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:31.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828A38622C99A7B0DBE7BC85E3F3FAAB,SHA256=4F308DD49E8AD2C9350A7FF548E4F32EA621C1DBE419DEFA7666B2D0244658C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:32.813{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628BFF186E6B82E0ADE5700DA1D65E24,SHA256=AFB8A7FC92681D8270AB3736C26746A33A0D1CC85F7F29D6894C5A65275814BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094471Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:32.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4F489AD111A3AA4667F142718FEE6B,SHA256=56601505EBD929B62A9DF5ADE76374EEE56C9B01AAE990057BF0DC459E0BBFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:33.829{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23083F8FE5324E938066F1DAE6153356,SHA256=3DADDE757247947AA686E22506287D28EF9E3B695149556E26B956292CD25D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094472Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:33.271{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798F0DF24D9DCEDDDC910577770D8249,SHA256=AE4994A4900516CF939F434923A97C47A8F1B8ECC8AA68061BBC1B1ECD7780CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:34.845{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EAFE79AA752E4A5A57F4079DEFDB82,SHA256=B5AD9FB294B67E9135DDCEEABA16E048490AC3C06E2292D6606EDB245B401454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094473Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:34.318{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EE7E6ACF9D3337BDE6611CC0FF7D80,SHA256=A164291AEBBBA01BF1918536BD701D5DC69752FDE6817A69DC657B38E660E04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:35.860{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52298CFA50067CFF05DF1B8EE52FE32C,SHA256=3E9CF42478108089E33B6809D229B738D566EF68EE454DA1C2972A7A12A350BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094474Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:35.381{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E28D30F15097632620A7D7D231FF9A,SHA256=49FBB38954F395B6D11F0E58D6E01EDFC4620C1A646AE80CC58A49C4C0A5E71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:36.907{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:36.876{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC04498A2D2D0CBF1669A511978A35CE,SHA256=39CDA45BDD04CFBC17D8D975263DC47770F2784B92689D6756402CBCCFF4CC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094475Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:36.412{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4E71C5542E5E953FAF1CE5869BECE5,SHA256=AF256FB2CBE8ACC5294CCB291F6D74C2FE3E7F7896DF8E2A18440929404CE7E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:33.727{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:37.907{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0200162A2E357F6F5D868B1D9D6C0987,SHA256=3BFD9AC504B88C161B860957A7A426C3F014E4869062D42B73D279E897BA7D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094477Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:37.427{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213A6D40F54F4D6D1D4982A23AF63AFE,SHA256=787979674EDA1CDAF2B655F53CD84C89D26862A66ADB1A8C1A40933E00958C5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094476Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:35.007{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:38.907{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F11BBC5333DFB917FF032579B6C410C,SHA256=F30ED1D882B95C00A17A1F06290F286E3DFE351A1146501A1C39E02BC6CB1BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094478Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:38.474{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E7BD0FBBA5418CA67B8B3356579C0E,SHA256=8C973882C87DF3C9096AB93C562C5908BBE76D557BD67663641E4C518BB353AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:39.923{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F537ACDDA53C776C072D17059BCA40D8,SHA256=95C1487BEB01C4A38DE0AB66D261B51AEFD67275819B013B7AD97E0EFB346AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094479Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:39.552{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD60F11D1DC171C2C66CB55BBC90368,SHA256=CCAC8B04F475C954C014F7B89454EC4124F1A1E5C2AE08FC81A0F19211EBF710,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:36.383{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000112257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:40.938{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58F76718367207BA3D4F1563C16480E,SHA256=99FBBED7DF4771D7E3BC6DF6987D3471098C64BF23C865B4F942FB20698DB189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094480Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:40.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972516490B67438B89F12001803BCD40,SHA256=51DE3F01B9C0920FE2A7E6F87A6CB6E7CB66A9D585BA4A0AA0BDCCED2C372245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:40.048{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:40.048{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:40.048{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:41.954{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0BB91C2C20149E522436949394935B,SHA256=BA57ED56B7C7E3E31A70B1F83FA9702884D40A34DEEDDFAD6E1E955B6C63D38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094482Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:41.854{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094481Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:41.620{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D02DE688672B5B9F477959E9D8081B3,SHA256=34133825A9A6846E6E4B3294AAE0D7413857F88D18302820541EB1043AD44188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:42.954{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF9E1DC4ADACFDD3F925A512555EFA9,SHA256=47B2EEC0947EB6EABE034C4D47A5013CF559949ADCD2A2710E88F7C11D186E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094484Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:42.635{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFB48437E82CD2EC45596CF187FDB4E,SHA256=39DEC1C0C7F94A17F6021CD8652F1ED085701F26F30A777E7E3DE3FC9D363A2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:39.602{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000094483Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:40.058{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094486Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:43.635{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A8A0C8A701CAB21E90CE903C2E7ED7,SHA256=EA7C4E78746348A5BEC6FF55D7440A67E72FBCF59B50740FF3C70B9C22704B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094485Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:41.793{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000094487Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:44.635{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AAC51D1E97DC9201C9852804D4C7B7,SHA256=44DE759347AE0059A0F35608293D1D6491518AB4A32E26F15FBD2825C658E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:44.001{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97313563ED3DD9A22D52AD64E777DEB1,SHA256=B264D039A3DE0CD68BD70991FFA3DC2F9B324E8A98556577FA1CF2D14F0E3BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094488Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:45.635{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B9992F76C24F1CA589199A64905D10,SHA256=795D56A3DA1535E4CDFB54DF3ADD2644A13F9B99CA793DE7A7B965525803696B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:45.017{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA13D63257E9A08C8F1931108404B9E,SHA256=DE6AF89A993D7DAC105CFCEDF7925A0F73D9B50CA542503FBF7530560DC6BAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094490Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:46.667{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBECAA59798CB50118BAE1D27EA2102,SHA256=7B3DF12461DAB7893ECEFC147B93CBEBFC5D32B922A175EDD8BDBEDF6870F012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:46.032{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA6CF14BEFB1608686F2241C20A2B80,SHA256=8B6BB0EC574BABA3E2EC6F26B3151377723F083ED2EE5706B383D61F5D4E7200,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094489Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:45.074{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094491Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:47.714{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62A33D9B8C69D31E85C548B9B782848,SHA256=304C8AFEC54DB0949382BBB06253ADC4B925B1F39068D3AFF1F82F550CA2EE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:45.634{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:47.048{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADBF4B5E50A76A90DEEA7BB72624157,SHA256=B73A3D2A82392C6117790B030F2DBCC9639946A7501D8C08DB8BDA503E67342F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094492Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:48.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35252219FD6EF75CD2E099B8569B23A3,SHA256=D3ED405CEE00EE255B2FC5CB0A1881EE6B7C9F06A9ECA579C7A4F358A9B8A42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:48.048{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3599CB37007C05FF3390C37E9DEAAFA,SHA256=946DE68449B68CADB5291481339B2E028FFDD111E374E3ED0ADB6D6D13CD9A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094493Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:49.776{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF65DBD8301D00D1986E5262D5C9E47C,SHA256=6FAFE6C5BD1FCED18AB0146D1F2394C7CF366C0755308A282A27D021234B51B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1119-614B-4D02-00000000FC01}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1119-614B-4D02-00000000FC01}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.501{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1119-614B-4D02-00000000FC01}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.502{D0132419-1119-614B-4D02-00000000FC01}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:49.079{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DCAF735CA39B0B8468FC2E1E1D0EB7,SHA256=225A33A7F23BC91B819D86CE3F3AA54CDA9F0876ABB6919A0BFC630410D7606F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094494Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:50.792{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB47DEED21C7C5CE28AE0D6C53DE241,SHA256=CD36E9FC56B2240BA395669D43270595FD61F96CBC9A2CEB4669EC2F5621915A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.829{D0132419-111A-614B-4E02-00000000FC01}22765052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-111A-614B-4E02-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-111A-614B-4E02-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.626{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-111A-614B-4E02-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.627{D0132419-111A-614B-4E02-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.532{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18BDF8F4443861E73B38A476AEEDEA4,SHA256=BA7C57030C292701E3608F0F75AE7F5D11F796F6DC2D1350213A45ED3B2B8C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.532{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0DDA42233A062B28E6A89729670DBDF,SHA256=52D6F06EFC7DCE0B7D4628952FF0AD10AC734C05267E7491A2D78E463A5A458A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.142{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C373DE84B25C7BE4ADB6B6F3D6F83754,SHA256=533459D81D8C6F4175728F5292432C9462F97A3E622B09FD539230A4D23D2327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094495Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:51.823{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F736EFCF646DC946D816CE50327F37,SHA256=7DB0AAF4538E27821030A8B7A218CCAABC9C34E6E48567416CD228B14994BEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.673{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18BDF8F4443861E73B38A476AEEDEA4,SHA256=BA7C57030C292701E3608F0F75AE7F5D11F796F6DC2D1350213A45ED3B2B8C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-111B-614B-4F02-00000000FC01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-111B-614B-4F02-00000000FC01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.267{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-111B-614B-4F02-00000000FC01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.268{D0132419-111B-614B-4F02-00000000FC01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:51.157{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8286983509CB6ECCE583EEF3BB0CC92,SHA256=6333A602567A2A4DC0669968974FF424A6399AD8D9894B34CDB5E1ED988FE580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094497Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:52.839{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E09A18FFB2D0A4E7A18C54B7BC89A3,SHA256=B091B2D29A5B1B905673A8E24530C92AB6B736499A166B3BFC1156C785DF1B87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.461{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55827-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.461{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55827-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000112298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:52.173{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9949F965C2C14853B81471220750F4A,SHA256=2C91DD199A37FF48286E2150EC38C81FAC79885420A3CB68BF06382FAC98E012,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094496Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:50.106{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094498Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:53.854{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E473FFE903C5DB94EA5A333507B5BD1F,SHA256=8F7FF382D0127B1EF95E24E752A3AAD7C47BF229513E60B11C5746FDCD83E547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.845{D0132419-111D-614B-5002-00000000FC01}52925268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-111D-614B-5002-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-111D-614B-5002-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-111D-614B-5002-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.595{D0132419-111D-614B-5002-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000112302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:50.649{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:53.188{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2890B656065E4DC0EE5F9719DDA97E4,SHA256=25B919B01FE3978B94537E9760DD47E0B428D358BCB5D465E0EBF45E38C31BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094499Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:54.854{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2625D85824918663B1E9A36D072EE4E8,SHA256=B73497BBBC05FACF1B06ECF574875D3A10FFD205689C78D398AD446A8F4829F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:54.751{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C336F3830AB2E2F655B0FBAE91A958F,SHA256=D89F32FF39FC19A814835AD174C6C17603A71A5F64C01EE9F4293B8BB307822E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:54.220{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E03C4B60101235A88986A487ADA6900,SHA256=B5C462E2759E65C6053B88FB732A54709151F6B41F603EAEEA15A941772816A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094501Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:55.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214214A70E799E0C1966C87D81201BE2,SHA256=EBB42C267E1A2E371602C75FF05E4EDECA387820A0EF0BB194B598F42EA676AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:55.282{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0ADEFC4A0B748D19713F9D408714EE,SHA256=C7019F7AB0834EC0D98F59AEF66C4C6B68C456F01B52A19558FC5DB6C684D3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094500Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:55.261{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=20597172B6C3181FD129DFC659B6F814,SHA256=7CB6F85DBEA681A5C536BB8F5817D962DF40E0795F485624A0633B805F69975A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094503Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:56.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B10184AE2F6CA5F1A3FD9DB220026EE,SHA256=6793C19A28F6AC5710C6C9852D4C1D9E3A9ADC9C0E7F06C4F820AFC70D3A6EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:56.457{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-050MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:56.283{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9CF13A25C7B6391CBE85CF1E0388EE,SHA256=8C218EAD2090600E46F5853FDB34BC7E760D8496E0E39C1974DB6C76B6F399D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094502Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:55.106{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094507Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:57.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8346852C02D03AE94A8234764F331DF4,SHA256=3B9025173022C3157D3BA64EBBCA195DB0EE40C5B1F3A22E7911012150AEC278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:57.472{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:57.314{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71A67C31B6BFB49DBD0F3827EDE4CE9,SHA256=5CBE0075E2F398827666160266CE58179F0DE05550FC1D6DF77F923256660559,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094506Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:57.479{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094505Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:57.479{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094504Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:57.479{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094508Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:58.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8611D05C710830031DD640F89FC50C,SHA256=8C6A3A609330D6E8E08D6B06197FD24CF3B2D3552153BA5CF094686C586704FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:58.410{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA332938510FEE74E85669D2D7E92E8,SHA256=BA023B9BA6539D0BFE711652EBE71618B37713F972C3D7445D4D40FF6FEB2EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094509Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:18:59.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AA79E81D874CDD5FC4C0789CA535A1,SHA256=08004C56E35911C1F37C080519114A19B79425CE0D3E482D43B05EA1C43199F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:56.634{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:18:59.426{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64FC5AA01BD95236A29ED9200A684E,SHA256=E14BF1725164F3B06B61EF142570007846C4C10F30DCAABC7E3010EBE779ADBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094510Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:00.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069115106A9065856B09D937C723AC72,SHA256=DA036A1DD40AA0DD73A4C3B9C5069EEE41C40B02B8AFB768CA623B80625C6208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:00.441{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EEE2F6ACF123FC368DB7A5EAF202BD,SHA256=551DD31C30B300EF3AC76A57698E54D229F09AED31063D9BA0FE225DA676003B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094512Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:01.992{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E646B171470286F52AF033B5ADF4FCC7,SHA256=EAE4C6DC2A30CD24D347BDEAA3F7DB109D6C25EE25C630CCAD20A82597FBB2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:01.457{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD516E70B26897F75BFE5E500AC8634B,SHA256=4981E262094F0DB553F82D013FB75A30FB287EF5841773B7BCA92107F2489B16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094511Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:00.212{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094513Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:02.992{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A168627EC5E612FE36A688050D40880D,SHA256=DC8CBCABCE0C7B95853B9A3C3CE3D8E84A34A1CD3E07C3FB64054A7C76A570AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:02.472{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD9708146AA588B5123A67AD597D564,SHA256=972852CC8DBF9F12544045681D42AF578F7007652B78C91A5BDD9E7A1D2A55FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094514Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:03.992{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C1851EF72803D12F1CA275D06FBCC7,SHA256=F6906809EE52BA784868D5528A705EC7F45080F34F2E42D264BA26FA10A9F4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:01.636{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:03.488{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791294227B7D77AB4184FB7360D0CC5D,SHA256=B56DF11A3C4EF9F4BABF5907F02B50C7AD253F7A2468AAB8D014ADA0F864DB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:04.504{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694AECABD33C6331BE89D45BBBB9D453,SHA256=873532C8D5DF670E1F9B061D750AACADDD48043A933E793C1757409D459D9DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:05.519{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70D4B715B2A7932CD75C7C2A89EB78F,SHA256=AA023B1175D831575D5ECB4774FF661DE3DB212F335C4567616132E903D02BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094515Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:05.008{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB4A438D76B7F110E433E4F1052CCBE,SHA256=50A51A6400EB04241BD8996A25D9D48D28606C58AEC168DE3CFAE3172659AFE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-112A-614B-5202-00000000FC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-112A-614B-5202-00000000FC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.894{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-112A-614B-5202-00000000FC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.895{D0132419-112A-614B-5202-00000000FC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.519{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445EC17B5F86CCE6E2F3F442E10D44EA,SHA256=8849931C41C8246F07F62763CDE4512D1BE387EF3DB94B3E5FD7CA20C13CC180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094529Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112A-614B-0302-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094528Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094527Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094526Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094525Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094524Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094523Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094522Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094521Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094520Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094519Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-112A-614B-0302-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094518Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112A-614B-0302-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094517Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.227{601D2BAB-112A-614B-0302-00000000FD01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094516Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.008{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D662A20DD09944D8FAA035613898867,SHA256=E2D1990CB47DA06B78680788B8A61D426F6A6F62B0F348160EBA339676D76EFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.410{D0132419-112A-614B-5102-00000000FC01}53525476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-112A-614B-5102-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-112A-614B-5102-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.222{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-112A-614B-5102-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:06.223{D0132419-112A-614B-5102-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-112B-614B-5302-00000000FC01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-112B-614B-5302-00000000FC01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.566{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-112B-614B-5302-00000000FC01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.567{D0132419-112B-614B-5302-00000000FC01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.535{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D520226A8793E41DAED87A21AC5F7B9B,SHA256=5EC52172B24A50472DF1D11794996A324DE5D80882DAD15FA9404F41EEF68E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094560Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.899{601D2BAB-112B-614B-0502-00000000FD01}3252400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000094559Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:06.009{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094558Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112B-614B-0502-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094557Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094556Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094555Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094554Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094553Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094552Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094551Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094550Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094549Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094548Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-112B-614B-0502-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094547Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112B-614B-0502-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094546Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.774{601D2BAB-112B-614B-0502-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094545Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.321{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED313B13927F9EB29EA8FEBAF2360F2E,SHA256=45ECB7C7B75BF5A186425CF6F6B8E9F81F4D42707CF8EB01CE0DD2CCFB9EE38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094544Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.321{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15392C82CC1BA668FEA4BD1A189D47B8,SHA256=4E5689A66A8094F412EF5C56BF1558A910114310B2FB898D855F2807E1D01776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094543Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112B-614B-0402-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094542Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094541Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094540Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094539Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094538Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094537Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094536Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094535Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094534Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094533Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-112B-614B-0402-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094532Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.102{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112B-614B-0402-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094531Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.103{601D2BAB-112B-614B-0402-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094530Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:07.008{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1785959E25C7969898920C5654BE6094,SHA256=EE70B2AFE8F04542BB9FAAC40E8D59E4B7C377B5A2A8D2C0F2F124C48CCE205B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.238{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4073CC7B21ECA82CC4177C1A1733790C,SHA256=7498E73291387BB7036F58E3902BFAC9DE1C580766B3F3F930CD317E53198E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.238{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=471C3126D939FC78DE9C7A9FA2401062,SHA256=6ACD2D3A14AEAB8E70198427EF6AAE1BCDBF8C557C5F825DA1E969C1CC791B74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.082{D0132419-112A-614B-5202-00000000FC01}56845280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.738{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CA4407CEB6E31B3D085DEA5801B00B,SHA256=E7EBD3A0761074F2FB602197D272F9B8A765115D01010539B9259BAA219A649F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.738{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4073CC7B21ECA82CC4177C1A1733790C,SHA256=7498E73291387BB7036F58E3902BFAC9DE1C580766B3F3F930CD317E53198E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094562Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:08.836{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED313B13927F9EB29EA8FEBAF2360F2E,SHA256=45ECB7C7B75BF5A186425CF6F6B8E9F81F4D42707CF8EB01CE0DD2CCFB9EE38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094561Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:08.086{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44350F20AC8953A48631A5A902B102B6,SHA256=F6E8B0EEB9C8B2024BC3D2E51DE2816618A806511B8394792765077F53F1079A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:08.441{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:09.754{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20D2F04FE9A504F4D577CD1FA99AA4,SHA256=BA3324A7B5AF4B07787F6DD0F8B22870BCA651EE97AEAAA8BB5490E2E8F5E8C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094577Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.883{601D2BAB-112D-614B-0602-00000000FD01}2848396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094576Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112D-614B-0602-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094575Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094574Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094573Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094572Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094571Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094570Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094569Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094568Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094567Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094566Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-112D-614B-0602-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094565Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.758{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112D-614B-0602-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094564Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.759{601D2BAB-112D-614B-0602-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094563Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:09.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22235BAEA4D393D8A956EAEEA9A0650D,SHA256=89A40440B70010D2CE82B98F5B3F40FAE6A46D4BC82CD0A6FCD381F96D7B9AFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:07.526{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:10.785{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70DD4232E6025A74C72C5BECE78A315,SHA256=66D00810E0AD276F5740AB4CD9167DE36229A19E0AEFEC2B5F14F42360F808F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094606Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112E-614B-0802-00000000FD01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094605Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094604Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094603Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094602Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094601Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094600Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094599Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094598Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094597Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094596Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-112E-614B-0802-00000000FD01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094595Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.930{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112E-614B-0802-00000000FD01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094594Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.931{601D2BAB-112E-614B-0802-00000000FD01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094593Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.836{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6209391B809D534C174DFB05D055FBDC,SHA256=347694AAA3604A06EAFA6267AB63218CA3A06DCA8C265392A1061614D044140A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094592Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.383{601D2BAB-112E-614B-0702-00000000FD01}10002856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094591Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-112E-614B-0702-00000000FD01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094590Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094589Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094588Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094587Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094586Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094585Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094584Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094583Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094582Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094581Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-112E-614B-0702-00000000FD01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094580Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.258{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-112E-614B-0702-00000000FD01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094579Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.259{601D2BAB-112E-614B-0702-00000000FD01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094578Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:10.164{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C1E5396355ED8C486695E7E6767ABF,SHA256=3C54B6F5F46D6B32F195BBBF4CFFB028EE27F00D8C461E4613E341440FC14A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:11.801{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2859AD09646D2E29C4F7F4C56FEB0E9B,SHA256=8F664CEAA9D6E4337A0124206BB9FBD27E9E7219782C8A091BD0AD179E14DCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094609Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:11.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1428517350FD4D8D36E5C4D4D71C1E55,SHA256=ACAA8B77E51D35FA662D8B24AC0B34BF6384AA662A79C988D5E3F1396B674B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094608Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:11.352{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888EF1B7D6072F50903D53E538AB7E2D,SHA256=4B97D9543CF84FA0D069B42997F34732138754212369046E78EC10F9978AF249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094607Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:11.055{601D2BAB-112E-614B-0802-00000000FD01}2176736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:12.816{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F35292C85C2AE562DE96759562B6CC,SHA256=818B15C65D9A2D1537FD9F2BA114926CB2B613AED25C6D374D640CA50CFE3785,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094611Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:11.135{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094610Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:12.430{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BD6FCDC1662986E51BAE50E445D726,SHA256=ECA8B8BFB133C154EE26E9EB0A09F8196BD023BDA00BC0695F02A07AFE3D6721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:13.847{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6012B863CF5DD1D58037B87B73147F,SHA256=370633ABB07ED469950BE4130C1F9FC6119981D3D286BE08229D23DC2E243037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094626Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.980{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-050MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094625Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.430{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01B149D6FD403DB1E6EFE1AF274EE68,SHA256=90D3704819BD2054F6B41BA0C87717A4BF72D91B558C3C1FF182ED0DF8E93D48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094624Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1131-614B-0902-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094623Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094622Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094621Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094620Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094619Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094618Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094617Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094616Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094615Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094614Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1131-614B-0902-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094613Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.039{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1131-614B-0902-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094612Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:13.040{601D2BAB-1131-614B-0902-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:14.863{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4324745DFF7FAD80F67746BE7D28DF2D,SHA256=11A39CD33E3031493DF8E76A52FD3B627A73121897D2B9F4508B4620BA27DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094628Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:14.462{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DB70B743F90227D9F991117BF08F5E,SHA256=21C205B333D3D17C38E94BA5838DD0C329A63ACCC26829F893D45E243077613D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:12.714{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094627Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:14.275{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE5B6BDA0CE40296AEA14586402C040,SHA256=B4726145B36B02BF51F1EBAF742B4181607C66B8CD036B94708837D03604F312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:15.879{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452BDBABEB19F3DD9FC758B867BBE343,SHA256=B055A06115DD0AD1C26D9659B241610ED2D09E5DF8F017A31432378DDD87B028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094630Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:15.471{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B81AF0712350DD87449FDD2FDA1154E,SHA256=6AD24C9AB5C3E6DABF084EFCFEF7DEC3422D33FAE27C820DC88CA20EFB745AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094629Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:14.996{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:16.879{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32C5471716B02D86115E16C811ED1AD,SHA256=358A5A3A8939865B4D30D103771B883A5605F30C3D7459398AB094DCA7658C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094631Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:16.488{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FB6584F0795EBD2FE909043117FF89,SHA256=4B3BAABA61BDFBA7C4CB4385CAF8A8A725CED86F56EE80521A8AF57D7B5FFF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:17.894{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AADF9DF70A8F391488912C4180931C,SHA256=AB86F5313329B5A24C17212295D4936C99780CE3CCD48B1FCED657901FCB2D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094632Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:17.488{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D61449CF010D1DFD102CE66FCCE1A07,SHA256=D6AC87EC75D8B15B6F7EB5D16EDDE2314DC35D5A44D447DBBAD35D0DF333589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:18.910{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2E1231475A64147ED489A4E7F0931,SHA256=68708F197F37D76A747FD59CAB2BE00C89991F3B11958F1E62FA4BDCB89E0D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094633Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:18.488{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391F02876F2DF8DEBD70D98FF9972A6E,SHA256=883B4C0E763C13C5282F56C66FB0871559C4979B3B043E1DC15B2D21DD8106EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:19.910{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328E1FE3196FD8A40B0D93EB52F9C9FD,SHA256=A9715157A8027C6CEFC81040BA55F69F75EFCF58C5295D6A22F6CDE6F0CBA9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094635Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:19.520{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8B0207D93AB0489CB5581B61167FD7,SHA256=80FC5FA252AC52E8064F3EFC60A96E652EC4D14DB5150DB97D6C32B535CB602D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094634Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:17.068{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094636Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:20.524{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6275EC97331F35264037750F472C671,SHA256=A8B0286598C23EC6C45B8CBF898BF8C845B949325D341AE4D3861CD0D494357F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:18.698{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094637Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:21.524{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766823C6F74D955C370F9662E46642BD,SHA256=15FBA862B05F5787DFC9C8F95A7689AC759B0FCFEB5F3AE5FB514D8E90D520F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:21.129{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061A0879685B2469728452E4114ABD1A,SHA256=7529D6E7D39C976CD0993F05A448C8DB27CF073A9012BF87F9C6C2B5B601E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094638Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:22.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44912004C9D3458E5A37E44F6DC560AF,SHA256=076D4AA51A8E601D2287C120225A0475346FE84D0AF5C0F604EE5CD1072647B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:22.144{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7666D2101C74CE5E72A5C476CFEF59,SHA256=A1152355BBF8AEF420902EFA0A5ECA8EF8F5BF8EF76FB6E25938DE33A81937B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094639Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:23.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7475BC90AF05EA4AF7D67A9A1D5C8217,SHA256=C91C63958BB510BA610AE7D2BE181D78670196AA6C73282B50A004971632D68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:23.160{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ACE27F5B29C3818BF06E83C8E65FB4,SHA256=7CC01A30A0B058FF6BCDF3BACD95A986F46A992C892D231DC4D2010BFD35F28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094640Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:24.634{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEA41A7E6F3DC8509CFCFA53387567B,SHA256=F60DF36AEFE9FBB3BE2CE10DE0802785D8BA9D3EDE80513536A3A6865A5CC785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:24.191{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C07E4F3F104FE37503F49AAF8BD08C,SHA256=38F1E9F1ECB49E417515ED391E0D50F14B53B01EA7AA101E28B4B58BFDE4DEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094642Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:25.634{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C7C064CFF755B7314D28542DFE83E,SHA256=5469FC41748908ECC93EC6CA4F63E8EC5CBB3BDEA39EDCB12F95913BEB9DB3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:25.207{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E3A70C88A01E666697C27AB6D771F4,SHA256=5C9297E5555ECDC0565934D316ADD39A17954037299121C4DB97A111664B06D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094641Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:23.072{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:25.051{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93A3050908C36D0153D15327248F0208,SHA256=BF15EDBC4F08C0D7505F847222FAA15C02D3CD0A6522C17AA7F8A2CE213538CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094643Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:26.649{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104AD52D4C35263EB2050D58EF7E4FB,SHA256=CD3C7CCBFAACF3C34A4124562E525945152CC46F225C514EF93A37404C353007,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:24.542{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:26.269{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37C3D9D8874457A249C146A231E6230,SHA256=53BB8F25B7802E161B20DDCB43F749DE9B53F8C1A7457460EBFBF6DA41484762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094644Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:27.649{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A464E2E36ED4D38BCA1A97A0480E369,SHA256=C03011D4B42BC6304EE7E3F0618E9E92B85CD4ED1AEC8AE4B35ED81F5B0089F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:27.301{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05225AE95A8F386B9AFB191785614900,SHA256=E8EEB5F66E4FC21DACC4DE8CAAD677967E282EF685C3822E26C6718D38D49693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094645Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:28.649{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99143743D35CC1A239D4ED921E061974,SHA256=387247DF782B7F22F985361555D92B312E5B4F2F22DFF763E85ABC98E39F73B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:28.332{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9734CBC1B86FF97609CA18890C2BEB4B,SHA256=6707E33966CCA5160C3981CBBAAC4784A414C18A04F83A26767996DA3B181657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094646Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:29.649{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12850B0DAF527B97F14139EACAB7D231,SHA256=8F79AA55A171F53FBA7C4DF692DCFDB37F36BBA46FD7C3B3646A66A1A7A37F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:29.347{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38B0FC1D27E51BD5EC18D45F56BB76A,SHA256=81341A95859F896E325ED6AF6F711E0346A50345C2B955DA5525731D72382008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094648Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:30.681{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A281DCF4EDB5AB21AA7F076AD1CDBB,SHA256=D7C5957C4F2D7CDA01EEDB52277EEA75FD3AE8C51C4FF1DD9277024D5200BBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:30.363{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA03501931ECF3DC92C8E8124C4BE37,SHA256=3E51125037A5EBA81CA8A82F709A5AA498BB17E58320F7B7EDA555869C8A12DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094647Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:29.041{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094649Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:31.712{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCE3BF76A286174E2A1A625A1B13F08,SHA256=4E3FDBA1E91668211AF5347019FF5666C08DA81351875CF0EF074F82A060867A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:29.604{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:31.394{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E2EC123308D97A639ECCDC9E622EE6,SHA256=DB6B95500A58C8F0073E7A145FEF398E45B261CCF0ACFE32F09C3D8356999370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094650Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:32.727{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ABDA6D275EC6BDEEC817F6EB181286,SHA256=CA30E6D39C15CCE7371F264AF80734F0946BDE4E6C53EB9174D6F376EFF38755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:32.426{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E6B849E3601A7FC19BA44558E2F742,SHA256=6CB14B6A439B1E5D053BB7B2FA950BCA475E690A5F655E10E011C9C264DCCFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094651Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:33.743{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5859FA431AB71149C75C2DF71FA27631,SHA256=CA68333A07242007A58489756BC16C8D7AA8BAEBF918822687605F3B7452BC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:33.426{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7C4474AE50438500C6D8847BEEE550,SHA256=8758A0C8722F4CC37749C409453C1855D811EABFF0CD6B0D069E829E27172F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094652Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:34.743{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E169124D1E7382F8BEF9853FEF2B043,SHA256=D5FC5272DAFB460A46AC7D28244CF53947553F912DAE13E7E8E29EC90B4FE9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:34.441{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F70DC83F010ACCB93C415A270FC526C,SHA256=B552197CAE0A4ABCC4717F0D64A328A3FFEBAD6351A82D85905016E725DA606F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094654Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:35.790{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836838F26C9B6D382E60AF7FEF1A2401,SHA256=CC3E3E953DE33AA1817603279E765DDB344D7394F6E028357E40710800475227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:35.457{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719DF8030FE94F881513050ECC8D6EA8,SHA256=9715BE1C0B37AC0CA313A3E6F3E92AB47CA4D5ED0B1EDD6B0A090646B2BC6EE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094653Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:34.166{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094655Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:36.806{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A493E0D0D1D45D12308BEA2CCBD085A,SHA256=395F7673F82BA76EF506FB7CA8CEA514B53BA53747093CCCEA420D59D5891FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:36.926{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:36.472{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A496E04C46EB99745D86170A128E4FF5,SHA256=C2F0C591B2F6205568232CBDFBE5EFC1FDB4F4E2858BB9D6FF7E4F42CACD83BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094656Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:37.821{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F7EC96092010FF14986797B29B5577,SHA256=906B38CC80C6C0E754B3F653B2DCEC2C4496716C5A79FF05C43E19BF2B29E459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:37.488{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D033A93997F229B0DACE585498071B9,SHA256=9783057732AA1911FAB424FF846BBA8AFCA847853498C81E06454D20FE9226C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094657Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:38.821{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7706F7A835EEAE7008EFA3C05011DC,SHA256=E775D9C4ACA8DDE4CDBDFC58A814978975FD1514D3D3835FFBFFD9995E1EBD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:38.519{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED71FDAA0766D7127B5CF84201E53937,SHA256=874A2E5B99865EACEF6DCA41C25075C0AF0CAF6964DA1EF14A0A90695D76CD6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:36.401{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000112425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:35.651{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:39.535{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE47352FD106D636040E11134C17AD9,SHA256=C5AA6512283BF08C907AC4DDCBF15563003BDC159C507071A1C9CCB0D95A9DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094658Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:39.867{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351B4D3181D2560F498EC724646266F6,SHA256=ECEFD64BFEC46FE8EC10FAA13FBF3E6783F532A77220942D0F183666C60CC2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094659Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:40.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CA6B6944C4ECDEA1E6B34533C2EB25,SHA256=3FC547E546AF01F89E92290E208CB0A5C7B16425917707E1AA09B82291F8D2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:40.551{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2594882882EF43D9A482E52D2FCE64C,SHA256=156E7DA775BB06EF9897FA3FC6804DA9ED8EFB6FD6501B897E2909B1425D071E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094662Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:41.930{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2B855D35D387E1CBFBA5384DF40964,SHA256=BA0E9267AFF9989380644956B16CAAAD4595DB896732D56A242148BA492BBE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:41.582{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438B751B0B7EDE65E556C408A5B8B8FF,SHA256=BCE9B71B50DA5767534134BAA68E8DC982F9F8AC2D7E164F81DC6A45F13D1482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094661Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:41.914{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094660Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:40.134{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094663Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:42.977{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E101EA020CEDE58CB5CE14A976377A4,SHA256=3DDA8A0BF501D50472CB856633E9C8EA0DF2C902747EE47A20B406B1EBCCA8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:42.597{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7DFCFBB3FC9E2E13D2C0EE15D9EF34,SHA256=90C0F008033500F52002E9E8AF1069B2A2E8A7000652C1D2DFE7BE4C9ED1C134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:43.660{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC97D0E50C1AB492058B1463CD87E66,SHA256=2152C8D3B17111197A91BA24F1F3ECBBC3BABACEAD58FDC3A78B8B206E2D57BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094665Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:43.992{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B72A790D182AC4E770908583220D81,SHA256=2981D7A64F9F8F3BC168DB22CA94AB45FC9224E3578626C3632B56E8DABA4E2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094664Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:41.831{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000094666Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:44.992{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C463FBB803A168C5716E678D6970F60F,SHA256=E10E345FFB29F9801E257C2056C41F3D84A92903C39D29215710AAACDED990B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:44.676{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0C406F21ABF411B701F2E9EDA9AA95,SHA256=BFCA4E6344B0B0FEC576DA33319A7789A34A1C7CCD6C2DEB5ED6F3970CAC74D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:41.682{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:45.691{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5A681831D1A65CE6896E029F980C01,SHA256=E37A4DE1A0A26EE7606C3E1C80588470FDE0E7D0C408FB8B47FA63C2C45A7C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:46.769{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF864DB049D5700C07972D3CDF44BE34,SHA256=40CBD318B2C6E1454B62B5352A280BAEAB1C627ED12D730B73473E632B64CA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094667Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:46.024{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAF69111FB596B4E72BBE2C4B05E3A1,SHA256=4272FFD2EE6841AB5D64460926797DD1407F56A877EBD38D73A73835A6761EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:47.785{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590182E7226BEB865491B647D32CC0B8,SHA256=5746FC6E91DEB977EEAFE70DB5E98584F30832AAB7148C582F0B98C7B8341DC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094669Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:46.025{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094668Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:47.039{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAD027E39DB8AD6B3E848DA31A46167,SHA256=A8D4B44DC8D4D8D5E085FD6CD6620B3EECDA15418C0FAEA84E5718F61859BA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:48.801{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6798AF8B9067BDB65945BD1ACB080F7,SHA256=62473CD77F24B4329F9FF4CF2D1E9CADE9FE30E2EC3AD7B94C0F46D138767B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094670Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:48.055{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A630D5B4A042E1F8A952D12921DD159,SHA256=ED72BE17DB04D2378B0D6C5B9AC73F84F86BC92FF756B41C9CECA85D760BC734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.816{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8F85DE5EF4DE3A6E7F22189B1A6048,SHA256=02801E412010D13213B6240698FFA6747CE4E9F62843F0CAED5C3DBCD27E4D1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1155-614B-5402-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1155-614B-5402-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.519{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1155-614B-5402-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:49.520{D0132419-1155-614B-5402-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094671Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:49.055{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BCAA744B3E5CB76BFA56701E67880F,SHA256=2B5CC45BBA7A1E45D61185CBFAD2669F3DA2302B8714CCC685F10ED4F74278F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.832{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5C2BC9BDF5BD5F781C712FC0747150,SHA256=A3140560E22A38DE60BAF05B5AFD194C07C402BBAEE76C95166CBAA26DD92EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094672Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:50.117{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5182611AFE6FDBACBC8A93E1C7310959,SHA256=F31ED46082F23D1AC77CCDD83516E839872E1F4E12D3CF1E2C1C6AD05A9846E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1156-614B-5502-00000000FC01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1156-614B-5502-00000000FC01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.597{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1156-614B-5502-00000000FC01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.598{D0132419-1156-614B-5502-00000000FC01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.519{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.519{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BBF54750E85E6B086FD794CD1B18354,SHA256=558C64068ED22F8FD8D019BD4CB150B04E4F8446060343D61FA2CB576315E14F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:47.557{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.847{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236BCB7CDD5CFDD7FC6E6CDD7B50E5A3,SHA256=C9A395AF3313C31CCF1F2C1FA1F668655674CD3961598DA2FC391575CFCF3BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094673Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:51.117{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB869E0947FBF3FBDCF85632E1400CF,SHA256=B80D227B8B906D5A1E4EC878C33C8989BD03C2B0D4F5D036FF540CA3367B9927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.613{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.441{D0132419-1157-614B-5602-00000000FC01}42085136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1157-614B-5602-00000000FC01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1157-614B-5602-00000000FC01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.269{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1157-614B-5602-00000000FC01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:51.270{D0132419-1157-614B-5602-00000000FC01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:52.863{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA582663B1F3037C77999D3EFF4CBA36,SHA256=8AD24596B63949E5124E6D7E7505919F5472AD4017319626B3177F8122A9D3CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094675Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:51.056{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094674Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:52.149{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E9EDE7C72194B5925CD3057E2879F7,SHA256=877C5F7F38D6F2548F30D01A0708792AD7CC0722CEE44CAF2E41C8225F962C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.879{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAA715BE8C5A425BB2C4C3D664600AB,SHA256=9449059D40E6C5394664EF53F1826B66A5C0D75E9C76AADAF2A4D03D2438922F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.801{D0132419-1159-614B-5702-00000000FC01}5848916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1159-614B-5702-00000000FC01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1159-614B-5702-00000000FC01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.613{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1159-614B-5702-00000000FC01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:53.614{D0132419-1159-614B-5702-00000000FC01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000112473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.463{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55840-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:50.463{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55840-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000094676Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:53.164{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0E476F5A0C1CE3FD1BF70BD5645973,SHA256=39353280DC198022C1EFBD94F0905A2040859C3A16C346006EA0495BD1A38073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:54.926{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082DDA61DC9EE0C764ADACE6ABFC8BBB,SHA256=F4FF30AB34362EEF46DB9F04F08A86DCBC8F19213EF1C722173541A0B8B41FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094677Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:54.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAB942B086CA5C48C18A8BBB6FD4CDB,SHA256=D2395D42FE0A9EC1A25CA7006F17098F86C3F9DF54C2F911851BA0BFD1A0B04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:54.660{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7487A2B665203BB0B80E388AF94BAD3,SHA256=B5F6CE613804CA703159902EE1DC7D66C856CD90976DB1644B188F7996650198,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:52.651{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:55.957{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000B698B2CE1DD8BB460AE4EE4C09C3C,SHA256=D96D60A87124B33B03F17FD73C1E40A6C35455CAFF8154926DE02C3828A0A18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094679Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:55.274{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3A70F5C5D960CD44DEAF17553E82693C,SHA256=BB7A27FAF326AAF9D1511D5E531FAD223DE59EECF39A1F9C18642E9D4D396847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094678Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:55.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262968C449061CBE9A5B027BD25C5516,SHA256=04F9354E9762746277EE10BA13FBC2C375E11D19D7A35607D66070B6F96207FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:56.972{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B031C1B288B438176B4A2729CC50666F,SHA256=8908D9040EAA1A10B9F73925E8C732385326487E5611DE092C578AACC56F620C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094690Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:56.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CABD5E14E71F83724D6D46F99C88EA,SHA256=777F777ECD6A77FD9664CD9E7FF49D03C8C6A181DA4CD56EA2F0688B6A6B5279,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000094689Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000094688Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003128c7) 13241300x800000000000000094687Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9b-0x635c3ecd) 13241300x800000000000000094686Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0xc520a6cd) 13241300x800000000000000094685Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0x26e50ecd) 13241300x800000000000000094684Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000094683Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003128c7) 13241300x800000000000000094682Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9b-0x635c3ecd) 13241300x800000000000000094681Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0xc520a6cd) 13241300x800000000000000094680Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:19:56.039{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0x26e50ecd) 23542300x8000000000000000112490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:57.993{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-051MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:57.993{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F93FAC1393153544EB48B9F2850577C,SHA256=287065218B20846E544912380B60DE137211FF94F3476EEC9271F04E046B4E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094692Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:56.166{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094691Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:57.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D949947D4556A8B86B30C6D88AF627,SHA256=B27F37A944A6AFF7A541E6CED781E3C1D5B2EC294AFA20C33F31FB0A428D16E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:58.996{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E455413A918CD201056335F44D2056F7,SHA256=4EFDAF9DE2967FF1ACA9B72828B768D23BA8AE03087CC1D0F90964D402FDEB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:58.993{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094693Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:58.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947EFD5CC30C4FBA282CF86957FAF91D,SHA256=90E0A72140A340D7B8FAFDB5BE05383729CB38371FF664223FA5717F5890DE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094694Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:19:59.211{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC60D90E55956F9C5F40B73B1B89462,SHA256=24BE89824D8197E4B3A0E0D3665BB33C6D316601E56BE05A907DCB6D5CDCAFDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:19:57.732{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:00.009{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D328CCB5C46BBD93370587AA4F5D8C39,SHA256=4DED09BE6A02CF66DBEFCBD0B6517B366753B4903F3EE103AD9D79396A1353FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094695Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:00.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE85B0D892874477D439A8469DCDE99,SHA256=5029318E3A7999B802D06E2AFD795E4618AF57CE200B73B295B049D83E88B518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:01.009{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598DAD50A1A62883B51178238695329,SHA256=905028C1B2F1986C2E17BC9BAA4A6A629AE43C98D52871E3D2B18EF3AEFD3EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094696Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:01.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2C18B0B7A39D05CC6C8D8F5A12DB22,SHA256=088C5EC53836A88F4E45191977E34A8B464E7B4200F27C662104644A54F367C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:02.024{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188BE1621AE9CC4F9F51656F7C21BEB4,SHA256=CA3B5D14103D2845CC095EFB25BFB7448FE933C251A27FF0DC93E599711896F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094698Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:01.179{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094697Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:02.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F027B385E022BA974DB61E3E47076F,SHA256=768A1C21950DA9BAB6A67DA9B910A8E954A6CF12305E65949B97CF5FED3F16FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094699Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:03.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D184F0999B3A678018D5DAC21C98E56A,SHA256=604C3E7C3914A62E2AF1E2F88132F45106709CBCFCBAD72AAC5037A9986FAE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:03.040{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00FCF0A41CE9FA222AA5B03DC44445D,SHA256=E6D236233BC224E9EAF96EE769E20C189A099C5F1942395DC723C75E36D2EE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:04.056{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620AE135D20AA3C515E31F9874BCD10E,SHA256=804EE118CB332F31EB412C2ED6B21591416036FF4CAFB2F09B8ED795699136E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094700Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:04.240{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD8BDF697B0DEF7CE5FD57CFEFC7847,SHA256=34DE41EBEFA350D477D108C8E3810B4CF037148632776DE4E8FEC1F1250FA81E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:03.515{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:05.087{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B12C9D449196B72D4E047A253711FE0,SHA256=4BAEB8BD00D8DCECA921870FEB5B3ABD24E2D117032CBD7A738BAE52E17785AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094701Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:05.240{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2EE57DD7D16CA425EBE0C63BF00156,SHA256=82543F7B1D0F7E2CDA36ECCE59642A174AA0BE78B4E08C6DDAB1EF7911BDB426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1166-614B-5902-00000000FC01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1166-614B-5902-00000000FC01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.868{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1166-614B-5902-00000000FC01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.869{D0132419-1166-614B-5902-00000000FC01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.384{D0132419-1166-614B-5802-00000000FC01}59124536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1166-614B-5802-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1166-614B-5802-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.196{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1166-614B-5802-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.197{D0132419-1166-614B-5802-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:06.149{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AB640EEFA8815F0CA9B6D462DB6033,SHA256=2C0C3BBB028715DAD996A703ECEC038708C8281B59D7EECD9A788E1A0DA670DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094715Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.240{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23032CF692B3701C678791514830E3DF,SHA256=46822270DE605EAF63C91D128FA44EB44AF8B953E4E12C5FD0117D572920F777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094714Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1166-614B-0A02-00000000FD01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094713Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094712Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094711Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094710Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094709Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094708Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094707Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094706Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094705Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094704Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1166-614B-0A02-00000000FD01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094703Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.224{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1166-614B-0A02-00000000FD01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094702Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:06.225{601D2BAB-1166-614B-0A02-00000000FD01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000094745Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.896{601D2BAB-1167-614B-0C02-00000000FD01}15041068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094744Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1167-614B-0C02-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094743Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094742Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094741Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094740Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094739Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094738Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094737Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094736Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094735Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094734Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1167-614B-0C02-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094733Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1167-614B-0C02-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094732Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.787{601D2BAB-1167-614B-0C02-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094731Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.255{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BF313E449E65D33CEA74EB95E667ED,SHA256=985B5926241FFB9DA9C050F8CED019561C14C3DAC1DA9E88887DE12A33501F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1167-614B-5A02-00000000FC01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1167-614B-5A02-00000000FC01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.540{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1167-614B-5A02-00000000FC01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.541{D0132419-1167-614B-5A02-00000000FC01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.337{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1810933698989DC8FF6227DDBD3CFC49,SHA256=D732121C3353A6EAF92127915F407861C5997C10A5463C20F10FAB39483C2E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.337{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40FD0D6059E9063CEEBEFD7EC7E0DB3F,SHA256=A35C7D6D5C3945595D4AEA2FFC35AB3CB07B34340C1EEFD1268574CA80CF123F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.165{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B428215CFC163DCA04D59B3E3DED5B6,SHA256=CBC8356C3C089E0F9E22464DE3A6E60375C6B472A92795A400F2CDFF0876B06C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:07.071{D0132419-1166-614B-5902-00000000FC01}61323828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094730Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A33830BCD358FF9D337320A4EA0D9C,SHA256=510D0AE55D403FB0885C1AC0BD5D46635D75B9E8885506E6B85B53E5B50A20E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094729Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.224{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFB0E737D232FEC5A865B43F18AF9EE,SHA256=4FFAAF41C1D2B9D2D12D0ECB1DC09C824B6F6DDB9A05FD2AFDBDED4BAB4690AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094728Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1167-614B-0B02-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094727Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094726Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094725Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094724Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094723Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094722Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094721Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094720Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094719Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094718Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1167-614B-0B02-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094717Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.115{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1167-614B-0B02-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094716Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.116{601D2BAB-1167-614B-0B02-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:08.571{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1810933698989DC8FF6227DDBD3CFC49,SHA256=D732121C3353A6EAF92127915F407861C5997C10A5463C20F10FAB39483C2E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:08.181{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454DE608C5C4111436462B6A05FE6FDF,SHA256=FBBB8F910A79AB4202D1143722857A5C94D4D8B8C5EA889257BDB8E000992440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094746Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:08.256{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078CCC282ADD1BD752F1C4F8E27C167C,SHA256=158BB6100E0E135F7A929409365EFE5710EDD0C8AD7E55555BBAAEB3506F2D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:09.212{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED039154202AED81C92FCAA210AAE264,SHA256=6B09E5199AFCF652A1AC7DCBE0D8895C030674D1CDA4CE23EB85508AD34DBA77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094763Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.927{601D2BAB-1169-614B-0D02-00000000FD01}13602796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094762Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1169-614B-0D02-00000000FD01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094761Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094760Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094759Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094758Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094757Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094756Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094755Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094754Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094753Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094752Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1169-614B-0D02-00000000FD01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094751Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.755{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1169-614B-0D02-00000000FD01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094750Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.756{601D2BAB-1169-614B-0D02-00000000FD01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094749Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.256{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2483FD054D572E2FABF9AFE6EDC046F,SHA256=DE2467D011B43FDED1ADA3F0B047675D708BD53692E8C7347BA912B09E489D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094748Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:07.101{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094747Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:09.006{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A33830BCD358FF9D337320A4EA0D9C,SHA256=510D0AE55D403FB0885C1AC0BD5D46635D75B9E8885506E6B85B53E5B50A20E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:10.227{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AA81DD908F68A82CBC34FEB942172A,SHA256=47A59A06F47F7C1D789D7CCD11192D2C974433F9C262AC6FE5FB3605EAAAB5B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094793Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.927{601D2BAB-116A-614B-0F02-00000000FD01}1996940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094792Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-116A-614B-0F02-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094791Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094790Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094789Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094788Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094787Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094786Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094785Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094784Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094783Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094782Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-116A-614B-0F02-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094781Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.802{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-116A-614B-0F02-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094780Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.803{601D2BAB-116A-614B-0F02-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094779Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.771{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D4AE399E4A74D11107EEAD1D8BE3453,SHA256=27713E906D7B132BE923CAAB94A8E15B67633D6F007038931078E8F9AF61C626,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094778Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.380{601D2BAB-116A-614B-0E02-00000000FD01}28963736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094777Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE418E1CB98DF66EFE55D30AFE35D05,SHA256=74D843A5893F0E456896CF2D8818B835BE7EE9E9470D246B898CA0B0BB8C3C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094776Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-116A-614B-0E02-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094775Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094774Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094773Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094772Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094771Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094770Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094769Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094768Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094767Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094766Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-116A-614B-0E02-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094765Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-116A-614B-0E02-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094764Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:10.256{601D2BAB-116A-614B-0E02-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:11.243{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A392BC43B94B16C292A267A6493F04A,SHA256=DE9E2BE2106D84592A077A9EDC0CB653D70F38CD33AB3B901DFEC5435010711A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094795Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:11.943{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6477F278BE89EA1A41094C9C76AD8BBB,SHA256=E2881C261667E624F4A98628F6ABF67735DD9197508976AC1ED4A015AFC02045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094794Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:11.427{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C77F7A921397F674F6511DEE5FF024,SHA256=789358B12E3B1181977E404BED934ABE59D3AB1B08719A192F013AE65CF9E1C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:08.562{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094796Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:12.474{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7E5DC6FFDA3CFDDAA5A465BB94159D,SHA256=B29221761A8C1787393C10C0C52DD1999ED60276B82794295ECFCF3E3E4A2503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:12.274{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AF053FDB5E18DAEE53B876771A547C,SHA256=4BAE839132B03718E6C4F3B7B68A0E941105525EA71E2D5C5DE6502CF7E55003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094810Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.474{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADB3DE95B96E33F45CCE78D913FAB1,SHA256=EE82B986414ABBC07AC6067014B7A554868283359E65A0CF0B10C4B3FD5B38CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:13.290{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC6A8BDA341943BF35C782F0EDAB78B,SHA256=298DE0CBB98D4AC66AE051B7D72F2B0A3342A29893C5D842EC0F00BDBA604EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094809Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-116D-614B-1002-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094808Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094807Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094806Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094805Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094804Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094803Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094802Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094801Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094800Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094799Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-116D-614B-1002-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094798Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.052{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-116D-614B-1002-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094797Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:13.053{601D2BAB-116D-614B-1002-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094813Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:14.490{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BEF8F29E5BFBD5B6A12318EBB4180B,SHA256=450041920EBCFED91F621EA193A09F0C0B88834F949715CD257697E8AE0B3649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.649{D0132419-0A65-614B-4601-00000000FC01}7122296C:\Windows\System32\RuntimeBroker.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000112550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.649{D0132419-0A65-614B-4601-00000000FC01}7122296C:\Windows\System32\RuntimeBroker.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000112549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.618{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-116E-614B-5C02-00000000FC01}392C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.571{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-116E-614B-5C02-00000000FC01}392C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.571{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-116E-614B-5C02-00000000FC01}392C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.525{D0132419-04D0-614B-1500-00000000FC01}11286024C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.477{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:14.321{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0548B8353D066377631B2302F26ECD,SHA256=05A647A4CDB88A5B330F9604F20BF3FB673C2B6E14926A927B2BBB0CFB709A58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094812Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:12.210{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094811Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:14.146{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86ABBA0E5CF9957A896A12CA4BAEAFAC,SHA256=5A7EFB5110FCC37701F0F558931A0F0E009288B5ADCC91C44214F9B9FD3B8698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:15.540{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A658BA8EF4214A1C15B76082CBA503A6,SHA256=0D40DC1149ED5C424CFF54B5BB6E4D9E4B81969565C96F0B4E295A1317B2EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:15.540{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5441F38B21C108611AF0037FC645422F,SHA256=0D07424A07C7F3D2DA8FC82BC73163447D9A7B5875687A3E53D1D2E3AB2F777B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:15.352{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE25E9C713C11A0416DF8354DBE9F175,SHA256=E5A9493639CBF449F983DF739B925BF2CD1514F520CD15F84A1D5BACAD09118E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094815Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:15.516{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-051MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094814Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:15.498{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5065BE46A1FB1D255D4FF5630C473B0C,SHA256=7B71484876FA5967AA0BFAEA615518B139414D938C08DF26D255554979786278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094817Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:16.524{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094816Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:16.508{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1B4745F0E3FB7AE3ED58C7A65E1350,SHA256=95EF1F30BC685F2A8C5DCEE7F8E49698F8EF0E8596CFB93BB6AB5CA822C22ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:16.368{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78608EF799DF92B6ABB9617085CF9F5F,SHA256=503DA80A5D42319E2332683F43FD88B040ABBA74AA0E04D4B42DD6F1B38F689F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:13.562{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:17.399{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5081C91205AA9B87D09B9E6623B988,SHA256=499505FFB7759FECA770081639B4CBDE4451087299660511042B031DA57CF25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094818Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:17.512{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871B16455471315F815323CDBB03DDEA,SHA256=0C86DA7A0151C58D8BB385875B1ADBC5FBB8ED4A4F1C4DE66D1DCD55568298C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:18.430{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE409782A52C900F51F91A6B503C0ED8,SHA256=82588222E9CFBB6EE65D3363C69CD03F37D43CA0E15254D7F3799BAE6893ECF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094819Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:18.527{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878CEB7506AD4612F41250E6A653425F,SHA256=6A6ED59B4FE6941FE5EAB45118AAFF9B65966F2A5429010223247F95963E26D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:19.462{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEAEC376C571B8461D873C201804496,SHA256=95EF504C6B279334DB71195F0366F23D7E1B38B0C5774D0E173A550B8CF20BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094820Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:19.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4991E27C1532E423269CA54E2E8265,SHA256=E6E164F3CF3F79712291D68106181978710CEA01F2938F2A9E3F16D72B6FDBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:20.477{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37E3A1A1B045104509E253F8041A487,SHA256=430945170789C88D32E37B8CD5A2257A56EFBECDD493506D52A21E89FBF738D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094822Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:20.573{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC056ECA13611A30065F3EA4267B0D8,SHA256=5452757D731EFB4FAEE69A9EA8FE255FE20132ED94B7B3B72B0FAFA741CDA19D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094821Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:18.201{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094823Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:21.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4990DED57678A717B67847A6B2F082,SHA256=1D19CD759AC463428146FC98C9026A8015195C686F13F33CDEBD74032855EA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:21.509{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C2B676BE362AEF713EB5EA715E2567,SHA256=6C10CA6E3495D6E81F2091786C658DB24306D957EB417028C2247F378A8F0756,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:18.624{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:22.524{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B7BC8B917B958C0BE031FC8D83B05B,SHA256=97D564FEC5C8CBC2741B666F048BC346CE15C22BED46A7BBD20A95BF8B946003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094824Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:22.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952B5C69E5AE7726B32317A2D56AB072,SHA256=96755D231B74AAE585557D9C0AE9D675154C1052F10B4A19D35CB84982BD983A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:23.540{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C4746AC7826108684AF7046B483568,SHA256=F24FA0FD940885D1CD33C65D4B8E42722AB54EFAB6EB7AD09E5673989C467CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094825Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:23.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82919AE7458E54CDB64DC8BB2DAAA4A2,SHA256=C32177BD58FE113AD527330B3F77F3F84DAAE26DC341A02D61387AD396175C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:24.555{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEE80297F7240B92FC3BC9515F3D2AE,SHA256=FDB2FB20257E90DD4DF2BAC50FFDF187A4A393AAED79A413B811CDC216FB8AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094826Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:24.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF91AB0A75AEC3C53F522B9D8CD3F8,SHA256=A92CB8B36B3984F3C5125DA57A5493644C37562C34D9DA90456E7960B7E67E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094827Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:25.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5724A9F75D2EACE7BF3C56AF03A68259,SHA256=13B66A0BC9E268058C4923874E8F9C3C7EF3ACE4DB20E642CC2F44BBEB1388E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:25.571{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7B992EAFC04C0E7F76AAEE22CFC21D,SHA256=2F03E40FA38F6570C88CEEBF027F8DEF04346C47E58D8AEA89AB57F28B5913E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:25.055{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6B4F256AA101975A78C7B0A068B79450,SHA256=00642A45AFEE700EDF136B783EF4CE6D372B80DFE0622600DBD8BA4ADEA5C72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:26.618{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034E54993F7251EAD64764252720B0A7,SHA256=8FD9F9423BF3B4F37BD37811B2193E8B7E7F860F1B284F2652C7E10BEB1CB585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094829Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:26.636{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18841FE602DCAB1C1B1AF25FE240B41B,SHA256=5DC1753BCD9C5A65635A8AD370BAB9D597A7FB9D4454CC1D9335EC26228F0D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094828Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:23.981{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000112568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:23.749{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:27.634{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62F4DB4F8567FA28E10AA046ED054CC,SHA256=6B248F91AF5B8F17065692E8C6771B9754BB590745B1F8E7309BC2EBDECE03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094830Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:27.651{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B2A89A02D75881159A87619F901729,SHA256=A01F3087A177CA1781509676FD96A1BEEC7EB52137C036A6F026933C349FBD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:28.665{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94427E639B4DB93F65EAC9D7B198F40C,SHA256=0DA0D1F3F64BB9DC45779F48635CB9EB54157B04510A6DA7DDDD52BD956A7AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094831Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:28.651{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D6EE83B94240D8806A32EC5C96B5D6,SHA256=E42A5483BC620683BF67006EB9EDF89E12115A5846BFEAB149A937630EA769D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:29.680{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DCDAD64B2322A03E95901A3DCE76AC,SHA256=2D92F9CC85133AFB4D2A81E4E885417ABD63B0B5D58C58D4E18C5280FA051270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094832Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:29.729{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31DA7082005EFDB003473B7D23169CE,SHA256=F56A81E6CFF2BB1D577D58598D995A6F63DC53402D7DCAAE5E91CB03EBC211A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:30.681{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845842BC642925CF4BD7FF2B4579C34A,SHA256=8722320370127CA0156188DF3E28DA4F3878C6E060527C31CABCAD320545A89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094833Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:30.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EB8DBAC51B524B83AE5659839EAD28,SHA256=3AA1E2BD18332C107059105B59D40130C851BAF6ACEFFA4426015E50B1787827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:31.712{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E4833BB5D9F2C3101BEC282830F184,SHA256=3AAD5E4D806602EA535CB061B39EFC8E18F6AF88E54B31DB40F49588F1ADBC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094835Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:31.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE0B01F0D870E6E3CBE72042C2910D9,SHA256=EB58651362C0F7ABA277FB735F6948345BDF26CE2B29A93010606246BDACC9DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:29.515{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000112583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000112582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0031b0c3) 13241300x8000000000000000112581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9b-0x78a52483) 13241300x8000000000000000112580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0xda698c83) 13241300x8000000000000000112579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0x3c2df483) 13241300x8000000000000000112578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000112577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0031b0c3) 13241300x8000000000000000112576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9b-0x78a52483) 13241300x8000000000000000112575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa3-0xda698c83) 13241300x8000000000000000112574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:20:31.321{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0x3c2df483) 354300x800000000000000094834Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:29.981{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:32.743{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB2A3377C7F4DF4810D34ED4D966139,SHA256=ADE05C4A4979EB4A41E31A19A0DD47218C9C07B0665D3A4C2F66ED2A18F4CBF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094836Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:32.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AC8E91A36A5F54A16F19785FBAD59B,SHA256=68A6E01EA96B07C9B9C4C36660A406ACD39986D2D75B30AB542A57ABA6CDC885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:33.774{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CBBAA53ECD768C4D15B717205AA5CB,SHA256=F92C4413A3D777AE769FAA81DEF9F2F02742F729F4D43AD9828B518C97195029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094837Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:33.776{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8B45533CEE8FAACEACB770E01E07F5,SHA256=4309194E2741A727F87D24B42F29AC0ED2794D668DD083D6D66883289C7B12F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:34.821{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831A903BD7FEEE3A28BCA617E343752D,SHA256=206CD0343190BCD1CCC16ADB026220C65EF1EEBE4CE590D6C5B0964EFCEC5A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094838Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:34.807{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9394C571A2BEF6AE74D5746883755D7,SHA256=8ACBF0CF9341302555CBD37A66554EB1735E521C3592FF2F9966888F9D7A2680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:35.837{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6892537669DA0A14F66DDD29BED4FB15,SHA256=717FF850DB3740C4128DD927E7EC6B8593A1B5E5471B02F8612B68F0CA70088A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094839Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:35.839{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54967805B0418770FBD6E757F1A48E26,SHA256=6EC9DB6773B3EDB1993D22862AE0F5519ECD8E350017668E82343F953666683E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:36.946{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:34.655{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:36.852{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB947A39E1329B418224FF4F1C714DAA,SHA256=2C1E204E7133D940CE5ABDEA8952E1200C4DBCC20DC6E7C216E63D1D18D59C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094841Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:36.870{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E759DFC7AB18345BC4660765936E37D,SHA256=58C118D2FE2912E945692D8C9BAD58DB3006D166A3436DA195BFE88C0FFF188A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094840Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:34.997{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:37.868{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A69847125E71649B78BC5A31A402E4,SHA256=FE7D8CDB90F8996605DB595A4531B44E01322EDF991B7CD6A16A3A13E5EB0351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094842Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:37.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977A3D66634F0F1469E8B5FD8C0C8EBA,SHA256=61841C7A58A3D6203615AB494D418DD2BC2D755D5C58A9E0C70393D450874DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:36.421{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000112594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:38.884{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383D6CBD270D26CBEE51C58C02EDCA82,SHA256=4119BADB57448C0CED8F2F2083F7261758B81A156E0BEE034B14417E0D401F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094843Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:38.886{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48933216C586312C86CF61445D627470,SHA256=BCE8A8E88CCA603F50220C62C162A14E51EE748A557F5814F8C19962D4D53CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094844Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:39.913{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A326AE320B48C05AE17D8FFD00311C8,SHA256=04FEA716DB1CEEF6D06732CAB2B7399146B95489D7D6E436C03E3C1E15DBDD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094845Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:40.944{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792C37CFF2D6A88D70B3D2E9CC74CB25,SHA256=4B850956D54AE7B2C643A85FBFC9434E5CA031F763EB46D231E5F263EE665E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:40.024{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC2B69BEF81F808F42A5A9EAF6F66F8,SHA256=834FE5F9D056AEBF4495CFE2CA9E9D34987734AE6F9749D6DC4E104E82F3CB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094848Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:41.944{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094847Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:41.944{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC9EE99D629FCEB4701128A395429B4,SHA256=9530CC6CE4A71AD0D042C84677DE9A7DDBFA1EA96E78E8C674003B596F39CC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:41.040{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1C730D88E79C324A34B70CE33DBD15,SHA256=B043AFD51619D9FB9049386409139617FCD753F835E5DE240DA088DA1FB69719,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094846Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:40.181{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094849Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:42.944{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCAAAFDBB57DCB8A1B991765E0DE53A,SHA256=07F9C77FBBA069C9D11CF8CF2C1EECC4FE144852B42A121DC7A688BB5FF96340,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:40.624{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:42.055{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7746D08FBE3A0024F709D39995E654D,SHA256=E4BBC1A8456A3673E990FD50145C064B416DD360614D9B0BE71A365D1D5AD083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094851Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:43.945{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E470C5DCCB3214638811D9287D147F4A,SHA256=D3E23C3117D7CAFC21D94394404ACD49A3F83108210D9D800E8203EFABB84FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:43.071{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0ECABEB6DA6FA69E68F9868C99F17E,SHA256=EE91426B7098908E1404CE342BA3B7A96CA0FADE80E72F164F69F0932F02E472,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094850Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:41.884{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000094852Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:44.960{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03923EBF63FB59C2530D611939B6E99,SHA256=5508A76A53DC60EE30B36C7AECB2CC4FBD50BDC81C192E2CDBDD0C0B6172B455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:44.071{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1148933F06E2ECE163D1F33880C0ED78,SHA256=3F61C362C171B765F9E909D1087FB9B54D62B94309F49E0435E8729D5C38200F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094853Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:45.960{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E2967272BDE71AD22C051C7FBAEF08,SHA256=33D76EFCD0F2C0DFB404B9C18E6D2B8C84EEF1C37BCCFFF378954B0675D054E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:45.087{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F85CED03A6E203778C07D5AD8D30C6,SHA256=E00972AB44F9D562BC30361EC6DB22DDE37EED9FDFAE50C3C20139F0E84443D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094854Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:46.960{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA8D13134DB82FE0BE733986411C698,SHA256=F8CA3F637F1BE46F0FC25EADED1C05C58E5855B027E382BC6036C524E0201AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:46.102{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2EB5F4AD442B310AC51FF857A7FEE8,SHA256=649C2DFE5B1A8F719AB301CCD5C3C4433022522984F452095A916E8FAEA46357,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094856Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:46.196{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094855Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:47.976{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2DF2A2AF0A0795E6936C66F9614AE,SHA256=845884A3D9DC16F07271769494F7F88A4CF75FA5EDC99E7FF332F56F2D898D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:47.134{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A235616474D79D226BB2AC57E228D54,SHA256=FC7849E8F96E53909B14F12655969CEB5A67B5F72792C0F906AD9EAC86643F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094857Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:48.976{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F872C12C611C96EDC2CB66A4F209585E,SHA256=A6A3116757FA77DCC3B1D35C5B991B49BE48269D5FADB5C2A01F6C04D31493DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:48.149{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE3A6301A51F979DB1D239AEEB21D0,SHA256=319104ECA7906771351804086C4F176204D619B62EEDA236C3369B4D128EDEB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:45.655{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094858Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:49.976{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B695A66803BEF0EC188F91D340693DEF,SHA256=3CFFCF0B735DD561EE210D35D8C5A6721956E7ADAB54358839008FCEFE6C1699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1191-614B-5D02-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1191-614B-5D02-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.524{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1191-614B-5D02-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.525{D0132419-1191-614B-5D02-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:49.165{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15AC7D3DC4F1E0CDDFA1EC9C62A6631,SHA256=F1D0C6ADFCB1999C25D76C239A8B88A9EAA13092D7E7D38C8796911F39600721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094859Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:50.991{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D7BCA6BDC692186025127C9B8F4E68,SHA256=3CF09B62F2CC55DA454BAD7F2A239384FE34E665FEC7624A30BAEEA42C7D02F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.790{D0132419-1192-614B-5E02-00000000FC01}42845744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1192-614B-5E02-00000000FC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1192-614B-5E02-00000000FC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.602{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1192-614B-5E02-00000000FC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.603{D0132419-1192-614B-5E02-00000000FC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.540{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5B15727453A06396E8708E7C2BA628,SHA256=F8625104139A510C48003270E878A91C74DCDCFD2397CD61D6AD998F49DE6B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.540{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A658BA8EF4214A1C15B76082CBA503A6,SHA256=0D40DC1149ED5C424CFF54B5BB6E4D9E4B81969565C96F0B4E295A1317B2EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.212{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD488AB6E9691D2F99DBB620B2DA538,SHA256=568DCC68D5C8580CDCA9E5AEE9D204588C230B1E6E6D91B4FBAA664EAB0E8AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.602{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5B15727453A06396E8708E7C2BA628,SHA256=F8625104139A510C48003270E878A91C74DCDCFD2397CD61D6AD998F49DE6B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.290{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D114E7AA8B2F32B7C28B4776230F96,SHA256=9A2C75EFF7A9DCCE83815C7BBFF1E58B9C340A58ED4448DF3FC042C67E573468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1193-614B-5F02-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1193-614B-5F02-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.274{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1193-614B-5F02-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.275{D0132419-1193-614B-5F02-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:52.305{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67A8EE00CBD1226CB46C144CDAFF2EE,SHA256=3DC2E8F721AE9A3F93FC79C8EA6E63958BDE62E0AA328A0891BBFB461E954447,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.468{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55853-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:50.467{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55853-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000094860Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:52.007{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B684DBB53A255899809C7F0D6D258E,SHA256=47FDB814A05C92A508F186B86EBDBD91769E734CE39C3839D79089866AB6177F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.790{D0132419-1195-614B-6002-00000000FC01}43605192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1195-614B-6002-00000000FC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1195-614B-6002-00000000FC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.571{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1195-614B-6002-00000000FC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.572{D0132419-1195-614B-6002-00000000FC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:53.321{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54CAE7E929CF37610F82CE450FF3436,SHA256=C8D845D99D6E8758FD2458D497C5C384D6126C8217AF24AE487BBA8C63012B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094861Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:53.007{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC83A0D31067B4B151F504DA7D1BEFE,SHA256=F334E1EF83CF2644688F80E8EA59AA91AC455AB0B544CC9DB52275AD5BA544F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:54.649{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0663D329E7543475CA6401A3C9C73C75,SHA256=59BE6FF9277F9E17C62712D10E629911D86B748613B1200D2BBA2A2236BDCD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:54.337{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6126CB05695DC039C6C1C1AF01187A2,SHA256=4177272BB14B0B8659E8FC2FB9F3C2B0A08F2E79360545792DD102B5CE502014,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094863Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:52.040{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094862Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:54.023{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6444E8E9730DFBD5436B6A128A9A6821,SHA256=A4053ABDF7CF12831DF23CED062BE3396BA9EC537D9AD0E3619E562547EA80DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:51.608{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:55.353{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670B4B5CC50AA49EC0BF647BC2E15BBC,SHA256=7E4132B4494FDB1077E507C0F6D28F086C538826A700535728C32837FDBB4F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094865Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:55.288{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=83082196355BA2C970786311318619DC,SHA256=05FCC79AD078B68D0E17B11D929C57DA9F668C254AEA9AFB996430420164FC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094864Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:55.038{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C386A6C8AF55D364A225084A9857F4,SHA256=312FFC0F6DDA5338611F14A9F9BFA43C8E1A074AC98A420E7136F1F3CED3A4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:56.368{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE0D691900A0FF20002E58B1EE240A,SHA256=220D21B207CC8CEF24AF5FF6594CE21F5FBDFB9A696D7BE9A2A46ECC7E2158B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094866Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:56.054{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0A91CE578D82BD73EB41256B9634A2,SHA256=A4165AC40783A5A260060B38CC8D238DE28D567B2BBF4BB6B61A96FBAF30387B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:57.399{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95CBDC4570CEE8DD9FD80C9674497D7,SHA256=28F87DB014B778BCA90F2BFE35344F16A278447E063CD4BB5DA9C5024D470E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094867Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:57.054{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A2A5CCADC6BCC967CD8D04586D4A9C,SHA256=911352748662EFE8A5CE544C7C60E1EA15B030FF3BDEF1E1683BB2B2319956B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:58.446{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ADD604C43C4002C8350C1D6AB5DF21,SHA256=88D962B344747ACE5FCE70683C307CC30C019A307ABE045FBEA76682801902DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094868Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:58.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3B5D9B81AD9870546777FCD4D3B7C0,SHA256=8CB7FD179340297CEBC11DA8DB9E734CEC3A2B7B50BA88F3E33BBE2CDD0292E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:59.512{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-052MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:59.463{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FF9116BDDFA89F84F57F2DA6BEAEC9,SHA256=4B8BDE266E4C8BDB625D465DE18EEB4D4BEEE584B094B886A642A764BC9A96B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094870Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:57.150{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094869Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:20:59.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AEA3BED7230A7A0644615F068ED38D,SHA256=FDFA6B861DF9CE6FE313717638ADA47F37843BB2C98C0FFF9C5D4012E0E9784C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:20:57.639{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:00.525{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:00.509{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF48CC521FC0110FC50A9135EFE82B4,SHA256=D4A0FE120465250BFBB5FC9FD4076D08E267EFD4DE1315548DFC77CF36E1C201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094871Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:00.125{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136CA7B5F0A7C317DA65330E85491942,SHA256=0612BCED8ED1C9FAA89207489228E48414B801D5D855BF3F8BCCD62A4E059CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:01.511{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2902DEF32565FDBCA99CD4A2FCD52066,SHA256=DD74F6AF09B3A61AE95DE83643A63422313E5D891C1C1E54263FB31B26A6E62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094872Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:01.125{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4FD408113B3ECE8EF31E65482555B0,SHA256=1EE17CADEAD424A79F3E52653AC6A2139153A7ACADC78C7B5A430DF304D7D421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:02.542{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89E8093E9F4954F44641EDBCD8FD72,SHA256=114735A2AADED256CE43B0BE5A092BCA3CAFE936E679DE49BD693BD2F71FDF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094873Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:02.156{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F24D90CDA8B706F17EA33D58A6894,SHA256=E972732D2ACB2A5C0EA84427BEA643D3FFB777BD1A22E02AD621D342EB1A3142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:03.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC44232E3F6148AA77143CF24F2FAE4C,SHA256=A0DBD3B9E3B7AB8F48C6B9C1D43EB3A7F4C8BF3C93A0FDC8BA97D35C66942C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094874Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:03.156{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D28BAE6C0E7031B00256019BDA245D,SHA256=D040C3CF82564B3F3CFDC75F85E484F433D21C233C3CB69AA3ED0E7B4EB1668F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:04.589{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8270272B471D380B753433847A23FC,SHA256=28195D9EA4C502429CA67BFE6CF74FEA07C8F7F6DFE194F846DE6ABFC519C237,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094876Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:03.064{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094875Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:04.172{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374563A977BDD187F1D0C660B4B421B3,SHA256=82553C9EC2E4C100A961C8EBEC7CCCD9C942B9CBD96F6EA5E6EE3BE990462201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:05.605{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF23F4B85E29163E53488145E9EAE59,SHA256=828A59ADBDFD81A776BDD93B67F02E686AA32D62C61DEBF333CF53A05172E9C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:03.532{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094877Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:05.187{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFF03F17BA9CCACDA483D47C7764CD5,SHA256=5C3089CF7DB27D93CCCD0DDFCE580F721F6EC0F9C6F6F247C01DB6047C576561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11A2-614B-6202-00000000FC01}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-11A2-614B-6202-00000000FC01}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.824{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11A2-614B-6202-00000000FC01}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.825{D0132419-11A2-614B-6202-00000000FC01}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.636{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7682AA824437DA2B37A34141B459E98,SHA256=2687FEAE6F3A4A10F7ED837699856140B41F01EEBCB67165C9E54D9A059878C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094891Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A2-614B-1102-00000000FD01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094890Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094889Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094888Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094887Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094886Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094885Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094884Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094883Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094882Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-11A2-614B-1102-00000000FD01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094881Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094880Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A2-614B-1102-00000000FD01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094879Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.219{601D2BAB-11A2-614B-1102-00000000FD01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094878Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:06.203{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F7F9B9EA5775F29790EB24C697A1C9,SHA256=31BE5E1A3ABECAB82BC08DB30565BAA04285091590FADBE9F53D4B67013D2AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.386{D0132419-11A2-614B-6102-00000000FC01}44324256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11A2-614B-6102-00000000FC01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-11A2-614B-6102-00000000FC01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11A2-614B-6102-00000000FC01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.199{D0132419-11A2-614B-6102-00000000FC01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000094921Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.906{601D2BAB-11A3-614B-1302-00000000FD01}16562172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094920Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A3-614B-1302-00000000FD01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094919Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094918Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094917Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094916Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094915Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094914Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094913Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094912Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094911Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094910Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-11A3-614B-1302-00000000FD01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094909Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.781{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A3-614B-1302-00000000FD01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094908Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.782{601D2BAB-11A3-614B-1302-00000000FD01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094907Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.594{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A0EE3DA9F194E0DECA14F59A50E68DD,SHA256=2D756AFE0F072A409199E806FB6B070D972A4D048C0A183D8F0D44AB400E05E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094906Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.594{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9129E2CC19C506F0D5017662A2F41E,SHA256=8EA112EEF0FF71C84177905229A479A6CAF28C95C8E76429CCBF8800BCB36725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094905Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.594{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB3C2A9FD9E9581B450E456029B7AF1,SHA256=790798A71E9545916B53E1A8FFDAF3F4D6F64393FF9C9A56ABA569CC020AF1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.683{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDA78C7EFA95C5766EBF25B291E1F5F,SHA256=6D41B61A5D65BCCF23A131E9072784766B47BC8EDDE5AB999F408F0A5E904823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11A3-614B-6302-00000000FC01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-11A3-614B-6302-00000000FC01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.449{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11A3-614B-6302-00000000FC01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.450{D0132419-11A3-614B-6302-00000000FC01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.261{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C0C0D75F6B244A11595340A889E30B,SHA256=0DD5D375997F117A8E296ECE6E82508D9EC7D7A3038B14A101FD32845C165E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:07.261{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7DDF078C7777EB091B0D706713B4DF7,SHA256=29124A75E5EAC8396D5316B0F18F6FFF191953E1B4DE734CF1684F57E7CD49FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:06.996{D0132419-11A2-614B-6202-00000000FC01}58645072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094904Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A3-614B-1202-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094903Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094902Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094901Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094900Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094899Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094898Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094897Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094896Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094895Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094894Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-11A3-614B-1202-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094893Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.109{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A3-614B-1202-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094892Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:07.110{601D2BAB-11A3-614B-1202-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:08.714{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A725FD5769541A7E95072C3DE0689CF,SHA256=BDF0E06B80B681279A0D6D6745C68911EB2DFD65E1EF903E6EBFE9C1292DC98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094923Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:08.828{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302D15624333E3A419F358BD70CF53E0,SHA256=5C94188A7E100C3BA7E51BEEFA6B06221298C72DA14CBB35CBD468E970654264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094922Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:08.828{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A0EE3DA9F194E0DECA14F59A50E68DD,SHA256=2D756AFE0F072A409199E806FB6B070D972A4D048C0A183D8F0D44AB400E05E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:08.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C0C0D75F6B244A11595340A889E30B,SHA256=0DD5D375997F117A8E296ECE6E82508D9EC7D7A3038B14A101FD32845C165E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094938Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.890{601D2BAB-11A5-614B-1402-00000000FD01}30882948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094937Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.844{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535442E406592C62BBB06A29FC793187,SHA256=77AFDCAAB37DD58D92C98F8402E808133859AAF408A06739AB792A8CF5DFE09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:09.449{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094936Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A5-614B-1402-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094935Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094934Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094933Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094932Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094931Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094930Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094929Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094928Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094927Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094926Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-11A5-614B-1402-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094925Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.750{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A5-614B-1402-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094924Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.751{601D2BAB-11A5-614B-1402-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000094968Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A6-614B-1602-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094967Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094966Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094965Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094964Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094963Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094962Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094961Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094960Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094959Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094958Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-11A6-614B-1602-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094957Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A6-614B-1602-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094956Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.922{601D2BAB-11A6-614B-1602-00000000FD01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094955Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.891{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B2DA2A6BB058C205B51BEEF96A334F2,SHA256=A57785B8543C50CB55F5C717D0576EB592554159A34C8BF7A4EB6E786BD5D58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094954Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.875{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E3F84CDE6469CCBB65EDB59972A9B9,SHA256=EE510DC06816F226BD281AFB1AC9D1B1C56B37DCD06CCB52BE4128CE79ADD287,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:08.563{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:10.105{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B237672D473286BC207F03F4A3B70BD1,SHA256=EBAAA2C129AADCA2E10A12BF7942699D42C0E098D49F0AF708E542BC3D0DB9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094953Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:09.064{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000094952Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.375{601D2BAB-11A6-614B-1502-00000000FD01}3436616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094951Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A6-614B-1502-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094950Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094949Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094948Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094947Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094946Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094945Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094944Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094943Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094942Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094941Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-11A6-614B-1502-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094940Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.250{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A6-614B-1502-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094939Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:10.251{601D2BAB-11A6-614B-1502-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094970Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:11.890{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404BAF7526D6A37F269F5345FC97354A,SHA256=8197512A78085EAF9458BF65659F760FE6474F8DA1B18BF1B82E01019CBB1CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:11.136{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6ACA880A66F2213F473DDA006120E56,SHA256=0149561775BB187F608B41E96822B872E3262246A78C346CCE647B54B34F701E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094969Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:11.047{601D2BAB-11A6-614B-1602-00000000FD01}18643820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000094972Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:12.890{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A60BAE18A04E38790233AB78BD73A6,SHA256=E881F0DFD64D4533D85F6AD417E44CCD8F3257FD0FBDBAF861160D782D2BEE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:12.152{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F386D23BB62BD464E6BC228EE9F7FE,SHA256=A9421CF7D6E9BB8A9010A4033DE520D958EA69F448904673F968CCE530508A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094971Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:12.047{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E38EA744AB2BF7EA886374EAAD238639,SHA256=5F56408018D27EC1F20A370DA61B8493166B7F7BDF22F1679603E55CDE71B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094986Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.984{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467A9FBD9D1AB318957BDD4F84CC5FC0,SHA256=4A9748E2768464A5D134D92326923AA634BB512713146275152E3D50756E3A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:13.167{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F686BD4E93796F5ACDEFAECDEC04EBAE,SHA256=D8A039FDDC29431776CAA8DCDF0E50B9B7B44C846B66782115AC82A76186A7A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094985Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11A9-614B-1702-00000000FD01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094984Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094983Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094982Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094981Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094980Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094979Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094978Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094977Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094976Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094975Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-11A9-614B-1702-00000000FD01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000094974Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11A9-614B-1702-00000000FD01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000094973Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:13.047{601D2BAB-11A9-614B-1702-00000000FD01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094988Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:14.984{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2476725240E34DA8996279793E632B0A,SHA256=C2879B60CED181BC30F38896061F32481624630F12A9C8FFD3B0B326515F052E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:14.183{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6CB7A92B88CCEDA0BDFE2261E5F551,SHA256=D50A3914CD8FF61577D1BBBABC1F22A9CCD5E648D2A4705D02EA65AE5B0F4FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094987Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:14.094{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5448FB9A59E01F70C852CE5808614922,SHA256=2715C0A1417BE4ADF6FBE30D7ED9823E17449ECCDE7D81508F6BD0816367DCEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:13.610{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:15.199{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A53C7DFFE5EAE55F0DE7B6EB026B0B,SHA256=60F30974C3EA438254AA764FEF1A7C4A2F5EF227ED1227334DE65605BAD9CFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094989Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:14.064{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:16.214{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6336BF20080A331082A5FC9D31EB3A,SHA256=EFD315D8CA1175E6885CA964D3870202EE695F67E7369FB81EE51AB390AB7CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094990Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:16.000{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2C90BBC9D0FEAD29B48F65F6C448E3,SHA256=239E396BC047A26DA17F18CCAD8631218873BBC82C1BA20902515196E2AF42DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:17.230{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53094E7ABF48D806DE3E686C2D9586E,SHA256=B2321EF4CD17BDB7751373AA9E20BE716F1FD0776B3BCDDCD6EF95D42C9D710A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094992Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:17.035{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-052MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094991Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:17.001{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B394D5B54FEF17C8732DB8DC8840F637,SHA256=541ECA21D8E34176ED031C5A51BF56CDA96A51DFB77A80CFFD5A1BDD6C90F36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:18.246{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B7608C5F203324BBA65418227FF0BB,SHA256=5302F3412C6EDF76B962B2A12569A34A4A870B9623E52C2A9E62DB761CF520EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094994Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:18.048{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094993Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:18.016{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5E05B5A0042B27AC23660E8D9773FB,SHA256=5629D2A5241B761EC2C006DC899BAE1BF7EFB96D8AE4A72DE797C69FF1C694EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:19.261{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD11AA12A11E03020EE7D2270474F549,SHA256=32E02CBF090040337DC4798CA95C2C8EC1E77B937C07815FDA141FEFDCD718CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094995Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:19.020{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BC433EE3759BF53B08604609FBCBC5,SHA256=6B1F9BC152ABF7D6222468F9A6FB2C8FD00628A1E90E7046FA18345F8AFFE6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:20.277{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B338312F00924A14DAC6EF089141B172,SHA256=D795ECCE7D9FABEE6F2DA68D796B403CC2947D287C412D3835259321D376DD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094996Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:20.031{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB32D3E918908E7E81D497A25D2C366E,SHA256=779529771FA1BBD0C9B2084C6CD93C3A1ED9255FEE97A39E3EBA009F71F39600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:19.610{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:21.292{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5F32D03EF1CBE3940C53F6264E96B2,SHA256=007069246CFF04442EA6A2C7DE97960B8334FAFB67F4C8F9D7E4D298568CC78C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094998Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:20.048{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000094997Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:21.031{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A464782CB41F2CD9AC3E64ECD765AE,SHA256=C3ABF8EE4F598ED21D3F4168289B449BB0B5871AC7ADCCA02FAD1D62EEB9DD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:22.308{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEC59E30CC7E1B3EED45F6A5065A70E,SHA256=607177E9F966986D499DE04686C2A0E3A1011E789D7675BD74FCB028741808D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094999Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:22.062{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721386A535E7D7176AF5E3D098BD7E25,SHA256=5007A525DE92AC2455B46B1E2123C3A5443D06E565D9BA3184E677B5B39B9BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:23.324{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBACA29CEB4AB9F975DDA50083A707F7,SHA256=E7ABEFC8F42593459A655EBF48A244D37B0ADB28F75462FD87A309EEC86E24A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095000Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:23.078{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AE960D8F2282240F6B82F82538985A,SHA256=37D69E86CF585CC511B810E45760E9D665C50F38C1A5624CE6B1931E7A10165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:24.339{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F42BF4375B8809E050D8355F2552B29,SHA256=D6316FDDD65B2227A27CF310AF6C605858F621AD32637422711F703838764828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095001Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:24.093{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EC56495239D0B594ECA7E11FECDF17,SHA256=6FF6F9FABA6327161526C5E620FC62A6AB7795C74DD877B17E8C6EFAC0825AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:25.355{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF6819C83C021235BD47D870C9AAD5A,SHA256=3B9EDD9B6EDC540C311B96C8376A67CB8278D6491AADF3711E10D9B7DD166BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095002Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:25.093{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEE10CBDD1105552883282CF10F755D,SHA256=CB3FB7471EBD1175DB9E70EFCB7EA6F6E5AFEAD4A42FA1C1D2D7865ADCE082BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:25.058{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=112DE6E543B849A7E6CC53F7CF58604D,SHA256=6E8A5D65D243D0A2E515125804D4F7569606B091DB7F4C42F667F7F89795896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:26.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDCBD3456DC5E99D61CC30ACBE04A5F,SHA256=2C0C92EA6E026CF79571CDE7FC203D134EEA5A647F6F446A7BDC7FABA66360F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095004Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:25.158{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095003Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:26.109{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9800C922836D480974C4C3E0D81F8B,SHA256=10FB25A4DA2BB3262B35388B5F243EDFD23CBE59FA46FB496E6F0570361C1832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:27.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFB78B80F4720966BB994A3F2C2FEF1,SHA256=E7B298BEA8FB77F64BA9566304689841B3C61CDB26FDDE0CB264A46296368FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095005Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:27.124{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E349BDC72821151CEF0DE9A79E2FDF,SHA256=AABC21C57A21ABA101382E193DC664BC89F645E36ECBD6C028806E3D43C67918,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:24.704{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:28.386{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556426B03C39317E4385D89D03118C29,SHA256=5615109BD3AFD08D63BEAD7AF356270636E6A28716F8EFE664279AD4B2CE5820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095006Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:28.140{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6346FA319F0D8B486929CEF8B19D6E16,SHA256=8061739A2A296EFF01DD37FB55FDA39DABB52CDF4F2FE9448D6F171F96E7DBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:29.417{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C2B5F097BEEFEBC73BBB3C274D7552,SHA256=52DCE3C0A8B80FDBDB3CDFF9F186A2C4170B36835FE7D2B60AA43452EE9546DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095007Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:29.156{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE1D16B8B927F4874C50C2BBD74BC32,SHA256=3D4D6D515C469B146D3722356DC1349A1ADFE11F7EB0584519B8476AB423AED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:30.449{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43086141BD076837E7E952ABD9532B40,SHA256=BB534AB6607E3DE859895771882F1E754E136C8DEB6AE463BF2AF2CA14E0607A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095008Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:30.187{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F50972AC2056B504FE64F709B9BC0D2,SHA256=2130A39354513C4AF34839D05DE5B20DBCCB7C2B30B736802A3BE4B1530FC139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:31.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E867B2F4A66EABD2C1FD8965A08692,SHA256=324C25BED7A0F0447A2DD97E7BA8F966BEA78241037A2F1F13A133D5884BC2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095009Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:31.187{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F827F854F7D7B677C14C1FB7BD4427,SHA256=4AF623311C15957AE8E2FF4252407A83E78085A8D751E8323AE79DE159F0173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:32.511{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EC1A4CB26249613FAF5E52FBFC648A,SHA256=3110325FB2FE336CC6748F7D3D1D61AD902F229717052086447AEAAC7E2AC00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095011Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:32.234{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C0BC88BD7B914AB41E6A7E32508356,SHA256=DF13D8AF5E53766381E28A07241CC90312437D4B048609E3F6DE42BBB29ACAD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095010Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:30.160{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:33.527{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509DC844ADCD53004536CC3904F129F3,SHA256=8D8E9A8831D85AADCEF0368A9AEE1197F6137817EC79463FA0C4DA8881787B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095012Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:33.250{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32811495146A4B61C7EAFA7CB6344F2,SHA256=FE12A09F0D269E97A54046453B6D61BC21E1157220584CC03D2EECEBA6A0AC3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:30.626{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:34.527{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D45E250BFCE87D2F6A5926D33A79F70,SHA256=C96B0A41275749667BCE8478F3D0F98EC9A7204115EF885E0C14286C9755C082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095013Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:34.265{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E68EC0007DB2E656D7B44479A759BE,SHA256=8464354FA395F2218C5177DEDCC903C90056C4630319423EB53DA72CD03A374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:35.542{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF576EEEB1C7F8FA9DB6BB46B2D3A43,SHA256=2A8964039699A63640A3959BF63D9505E3FB9F08A4D79A27489F92944BE3E658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095014Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:35.296{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F23543A41888BFA089F368E042BC9D,SHA256=31870F043B458468C7647DCDBF101DC5B7EED96A7F687C2421C24F6D69BF3E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:36.964{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:36.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C25407FA6543C2022BB0E09CAEB274,SHA256=12B97B470837585C7B08748B3D38B2E0C9DAD451457BD8ED9EF9999234285743,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095016Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:35.189{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095015Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:36.296{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3150F866C91CED0E9C4A65861AD6786F,SHA256=DD545B0E245AE19976A3B4C5728C13E78EBD626444F1D656DD35323C490BA377,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:36.496{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa4-0x01799557) 23542300x8000000000000000112765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:37.589{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A71406E81F06D53184C3F9671E9349D,SHA256=E857499F75F7191F767BC82543CCC4394361781DCAA114500B6120872D31A95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095017Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:37.296{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F5CBB477E97D6F12C79EB39D966E7F,SHA256=9E17C78A4F63A38D777F1F2B9B64DA8500114F074D18F399E49457E8FEFA31AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:38.605{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3908E7E75DD8F99509063EC7DBAB60,SHA256=FC9ACCE8D2318491DD35BAFEDF228E16FA1A17349133B231C787BC944B37190A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095018Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:38.297{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A98427CF64D89D9BB1FBF25B3E1062,SHA256=9AAE0C9552D5EF11A7E8D869B539C9F4602F549F06CDEA3FA4F83116A2E5FD9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:36.641{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000112766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:36.438{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000112775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:39.621{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3258EE3A1518B624D5845E80802ACB7,SHA256=4B14C1142AF853C877E654746FE38820DA16EC1BA94CDA9D20D2DF10079D4B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095019Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:39.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D12B3EBC2AD48E7D5A13E36EA4FC8,SHA256=21BD017AE48A9C2DABFEF27582699581D9880749DE249B0AA5B80901A11FC9DF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000112773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000112772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000112771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7afa4-0x030c7e19) 13241300x8000000000000000112770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000112769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:39.136{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x8000000000000000112776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:40.697{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1E3DAEF643E6C9873A92F78489E8AD,SHA256=BD86145A7E9235039E1348B845DD53CCBA4024974F3685E99962E5EBCC12F36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095020Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:40.316{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A29DCE043DC1AFE31616E55E5AB0AB,SHA256=FF8F2606DC6B73CDE4211A4DF7CAA0AB603DD19994B3C0CD253318C7D78DAE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:41.712{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384CD979F8F07F5BA78AA7CA1E194C45,SHA256=C922F0E101715551825F56DE1DB36AF14E12E4D95C679351095CDB666D7A7A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095022Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:41.973{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095021Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:41.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D053D796C71615476A58F960190F1827,SHA256=28D64EE5BA5BBCD37F89B132E05DBDC8D93D0F1D1A266F59B31CD67B40CA962B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:39.841{D0132419-04DF-614B-3F00-00000000FC01}3344C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55867-false169.254.169.254-80http 354300x8000000000000000112779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:39.760{D0132419-04DF-614B-3F00-00000000FC01}3344C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55866-false169.254.169.254-80http 354300x8000000000000000112778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:39.706{D0132419-04DF-614B-3F00-00000000FC01}3344C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55865-false169.254.169.254-80http 354300x8000000000000000112777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:39.705{D0132419-04DF-614B-3F00-00000000FC01}3344C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55864-false169.254.169.254-80http 23542300x8000000000000000112782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:42.790{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872CBDB31F5090FA43BE3EEF427578E3,SHA256=BDBCF7121BF492C4107C5CD2A8B6C3E108B546B4399E08206446492F7623E563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095024Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:42.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24FE9239430C7EB8A7EB691FEB85AF7,SHA256=339B3F776BC24351686FDF1CA0779A22F38DFA5764C4E421AB2E29154811CC25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095023Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:40.194{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:43.806{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75531A05B3815CA77BC5CCF0DFD47F3,SHA256=8322E100B5A987A6357D5791F555E2F758EBC500E1106B2D614B5777217711EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095026Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:43.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CCBB00768E412C067BA8783B20EAD4,SHA256=A094B4B8957D7239B83E5F145C561D7F040456163FFD14A81CAB93867154070A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:41.733{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095025Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:41.912{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000112785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:44.821{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD57B5AE78E24C1C101491DB9491C31,SHA256=4232109EA7E5053E18763D622FA614F550BCB3D4F5DE5AB50CFCF62978C8FF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095027Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:44.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D206487BF3C286908B9FCCB4D640AC,SHA256=B2A0B476066031D9375572031C472FE72E3D17C5360B29293502065C8D8D867A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:45.822{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A6F4C7FAFBE5D8A9D8F355702B3DEF,SHA256=E006D92F96C77685DB6851D39D6AE5963554FB3DEBA7174BD1818B79F3C9CAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095028Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:45.363{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279095001817C43ED81E5F286E094787,SHA256=F99AC2745E4E5E7B4ADCC01C3FA2F49A396C342217144562E322A5577DC4623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:46.822{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845B07D44869A9A3EC3D54D3DF914C4B,SHA256=E5D5440FD6806588B3D44A551212C18F62C7E98550611FE839D78BB544B64C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095029Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:46.363{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695D9E0A347E9169D26923FC4BC4D86D,SHA256=8FC87AF9BB2C0035B26F8A9E43C6636042BB4C720652986919198B54DF15248A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:47.837{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D39ED79673D8B1A4B214134FE151D6,SHA256=9D2D9B0E611B1DEAC65819E4528E7FC4AC088D6D383119EC94DAE936D29B5AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095030Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:47.363{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA667C04D9558898D52E052794D7182,SHA256=CDC2076DF9C9053EF3DB6DF0311DC185B9C9B762690007379AFE2373D318B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:48.853{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03AB1D0149F7A37F7E510AAA3B5B52D,SHA256=5CC06488DCFC120B81A7EB1D2946CD349AC5A3065E991F6A2B76044E5FAA0A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095032Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:48.426{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F926059F728BDE9A60DF6E134C14B181,SHA256=74E8DEBE8265F2938F278883565B3B04697570442562D174665B8BCCE0F949C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095031Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:46.022{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.962{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40BFD821D4C751F4D768A4F14B5C6C5,SHA256=C2FA74F18AC415E7D9CC8932C9270209FFC5E097ADEEA98F1407EA8416B1BEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095033Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:49.457{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB1B8922FB7C9B58035023BD365F28F,SHA256=4481169F9C70C5A1E1067C1DF626238743C9AA49B8ECBB94BD7DA4DEA43A3B4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:47.733{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000112797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11CD-614B-6402-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-11CD-614B-6402-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11CD-614B-6402-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:49.525{D0132419-11CD-614B-6402-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.979{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE02DD89B196ADD2D006FCA8B23AD21,SHA256=B8C9ABFC72764E72CB0FD4F72861169F697F378F1E47A2A0B0844AAF7BEF800A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095034Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:50.504{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B9ADBB89658C89FCC67874FD1B2196,SHA256=90E95A003603B5E6E9670C3C4B72E78674F9DB35A1C114AED441D8A68821922B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11CE-614B-6602-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-11CE-614B-6602-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.946{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11CE-614B-6602-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.947{D0132419-11CE-614B-6602-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.541{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E45AE577C83B9AFFC451F6BF43257C,SHA256=1808CB9A7E8F26FE3F3AB5A9604C8013849E25B20A6CBFD6CBD6C43A46D88FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.541{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AF0F7F9AB017A87D59937839F2FE7CA,SHA256=93F91EA9EBB4091785EA91F29D5F462A795F288D7B3D1893A115752C2B49C75A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11CE-614B-6502-00000000FC01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-11CE-614B-6502-00000000FC01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.446{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11CE-614B-6502-00000000FC01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.448{D0132419-11CE-614B-6502-00000000FC01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095035Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:51.504{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FCDFD47F8D6116C03AF1CEB1064757,SHA256=A1D8610A71D2D37415749457F77EDB629EA1CC51997AA1F1FCD96F70A451BF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:51.181{D0132419-11CE-614B-6602-00000000FC01}60965704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000095036Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:52.504{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E15EBFE5D1A12539A6DBBAFD9877C6,SHA256=936099D8C983889EFA1C436F395D40C7F22C6818190AD8E3CBEE72121DD90C6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.485{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55870-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:50.485{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55870-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000112821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:52.212{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A989D7F9A61AAE1C840AEAEDB370D6,SHA256=97E8C79A2EDD9E9B71421AB7222BCADEAC27F77A52E0D61E3DC0223C44992F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:52.025{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E45AE577C83B9AFFC451F6BF43257C,SHA256=1808CB9A7E8F26FE3F3AB5A9604C8013849E25B20A6CBFD6CBD6C43A46D88FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095037Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:53.504{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86206B403FB50F7084C0E1C0B9949F7C,SHA256=792C1545407BD2594167C62A569D2AA625FA5257D58F742C721F05A62BD45D71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.712{D0132419-11D1-614B-6702-00000000FC01}10643840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11D1-614B-6702-00000000FC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-11D1-614B-6702-00000000FC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.509{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11D1-614B-6702-00000000FC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.510{D0132419-11D1-614B-6702-00000000FC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.259{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C917C7295A4353D1744E54A006356CEC,SHA256=3256C09F1F5ABC25D943FBAEFA5FAC3EF8B35C232F8FDDDB13A8577288306B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095039Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:54.520{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB77F020411DFBDDD773994D15BA26F4,SHA256=CB4C543B8037A2BC9B39304F0F9C5405D49F71EEF293990C97FE19DB71C2D010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:54.525{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883712FD5B2514FE2E3A1BAB72003D9F,SHA256=B89470A1E49159A32B08656DE0846AA8A9D0518A3A722CA93C16428D9998D19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:54.275{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D897C2430D16146FA575841F96945C82,SHA256=83FA8276E4F8D000FD404E1652E774FA7C11572D2F9746B21538C93B0EECF643,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095038Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:52.006{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095041Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:55.520{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EC85E842DCA7A399E62195FA0375B3,SHA256=E0541925E9AEF2A783CF9E1EB1A5DE39D6CE6E7D8467DE18C2C11398832862C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:55.290{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5294476D149D76A2662FB9C83CE3EC,SHA256=ED2C9EBFE5F2235E3722C6432D07F6372FF49F3545AB3A91D1D298413474899D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095040Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:55.301{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF307FC2F16AE0F5E37A48E96D34AEE2,SHA256=9B2E3B2AA7A15BC42F603EC5E271A87AFB3F3C0606D7D8CDC997DE03EA19FE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095042Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:56.551{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33432EC73E2E05D0EF8ED1BACF3EB7DC,SHA256=0910FD6E4DA2D4BAD6E2EE41A484D5627649FAB90E09269566E485439088D862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:56.337{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7847C4B373C2E6D3C69927C6574A18,SHA256=7C5EF086A211C09B127392F0414885A10606CBC3F29692BA082135BED574922C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:53.608{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095043Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.554{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568985548E9A535AA3727F6A90BFA061,SHA256=0F4F1AF42EE8AB78478EA68F0DF2CC0A094A51C088D7121E51EB25D3C9F46BC6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:57.603{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000112841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:57.587{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Config SourceDWORD (0x00000001) 13241300x8000000000000000112840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:21:57.587{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EAA03964-875C-43CF-AA1A-8F0426A0E9C6.XML 23542300x8000000000000000112839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.368{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9B4B3316E087CF6DC186837F7D40FF,SHA256=678E4765BD1222026663FC04876A793DC600C752CBB0E8C96E43313329ED5D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095044Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:58.567{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8FC2EFE49F686582505B4F43ACEDFA,SHA256=BF393B9874418D75CB063EE7E895D7A20BDE88E13D5F1F187387EEB119C9464C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.102{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55874-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.102{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55874-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.095{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55873-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.095{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55873-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.078{D0132419-04CF-614B-0D00-00000000FC01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55872-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 354300x8000000000000000112845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:57.078{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55872-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 23542300x8000000000000000112844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:58.634{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B05D33C76393C74BC0462D8A3ADE68,SHA256=492409E2D5A6119979D91FBA9D130F530DC6FDC346B4B9927002D70F8D8E36D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:58.400{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F6961AC50B138FF33310E61E3BDA68,SHA256=0E384299B01DD3B04F76AB8175167EA0017775A5FC62BEBD0209D044B92F9722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095050Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:59.583{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54B24FD173C98112343BCCD511149F5,SHA256=746BE71DFB2DEBCE0E4F28EFE36489C7D1F7EBEFA6E0B5F50F7D9F0FF3D0EE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:59.415{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC7DEE0FBA27EB0C526C43DAF407971,SHA256=26CBDFA1FAC2D2EAE24540238FC8538EE1CCB9BDD7B08B94A4D0BB1479E31025,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095049Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.662{601D2BAB-04F1-614B-3700-00000000FD01}2084C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50371-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000095048Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.551{601D2BAB-04F1-614B-3700-00000000FD01}2084C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50370-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000095047Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.508{601D2BAB-04F1-614B-3700-00000000FD01}2084C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50369-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000095046Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.507{601D2BAB-04F1-614B-3700-00000000FD01}2084C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50368-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000095045Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:21:57.131{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095051Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:00.591{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2EC85E95B4F622B3049E6473C501DC,SHA256=2567DB75A5D35F5FCE82DCDD64C0B0EFFE8C56B49F980F52254309BCCA691EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:21:58.732{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:00.446{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08BD3D976E5C4F83748A0DF1BA1A6FF,SHA256=80E4AAD4AFF18580963C2102094536B51C91AF4D4679B10914A77F65ED673EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095052Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:01.623{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD8ED5BF700D3827CEA99EC3D374EDF,SHA256=BF99B56B1F536D113BC53F82A7C70E7D3EECC0C7578A1CCECD7AD9B89DC53645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:01.447{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BEF00D305F537726A0236481C0FA6B,SHA256=BE5CD2E5A5C73F6D8C4BED3972F2C9F9BD80731DE2C38FF0C0D1186A79952C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:01.059{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-053MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095053Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:02.638{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9CCAE1BAD17653D6EC7083E201E5F1,SHA256=FDC112DC99B83E38831A18305339E8296512AEF1531F83EFA7539BEF197730A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:02.461{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959BA22201BEAFD23E6A6049FF69AEBB,SHA256=06662505673C65F6D19D178D19C2B8D2146C2DFA70DA98C8B4EA44E8BCBD16D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:02.058{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095054Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:03.669{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B5F5898CFCD78A536D0E71AEFC5861,SHA256=3DD1B416FA78D45E82996CF85ABBB62E947AED80D5AE1247240D2C875F6D220D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:03.480{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328A4121E91E2A5F656036987FD4E468,SHA256=B89B5C994713199BED622C3B9A13807E4EB8C73A6935E528D3F0B1250552FC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095056Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:04.669{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C4AA3981A0F73C6836A07828C6B1B7,SHA256=8FDC659EFC3A00C5D464696535BEA13C2D01A28B7F1B6E1683F4ACB6D420D077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:04.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E98B7A0448478EB4A52520B87CC0562,SHA256=D708893DEFFA78E533B4CCBC1AEF534CB6BA5BF3DC6F81D4EB1B9F4B2258811C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095055Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:03.047{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095057Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:05.685{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B16F5E8724B3F00D8A03BCA5023F7B2,SHA256=F157C9257191D4AA921CFFEAF28BF8996C8FDAA40F481796712A25B6C20DEEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:05.527{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223C3A6FA2384F405C1528D38EDEFFBA,SHA256=10CFC31FC55ACA90515DA8E064666BB6500E3D2E0BBB3DD4277BC9D2589FAB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.980{D0132419-11DE-614B-6902-00000000FC01}53045964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11DE-614B-6902-00000000FC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-11DE-614B-6902-00000000FC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.777{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11DE-614B-6902-00000000FC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.779{D0132419-11DE-614B-6902-00000000FC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.699{D0132419-04CD-614B-0B00-00000000FC01}640844C:\Windows\system32\lsass.exe{D0132419-04C7-614B-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000112870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.543{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0ACE86CA965E14BDB2B71B1016099F,SHA256=11363F4B0FCDF18F7CC6EC030DBD42C1E8A1F89F8F03DDDA01A3F8034A4DF1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095071Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.701{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AAC82EB6D0BF1B3B6A1A7A11FD149F,SHA256=9EF39648C5D96A6DBFC0F3DEC4C8709CECB08A9859A7D4C8DA07CB8B783A3CA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095070Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11DE-614B-1802-00000000FD01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095069Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095068Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095067Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095066Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095065Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095064Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095063Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095062Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095061Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095060Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-11DE-614B-1802-00000000FD01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095059Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.216{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11DE-614B-1802-00000000FD01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095058Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:06.217{601D2BAB-11DE-614B-1802-00000000FD01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.371{D0132419-11DE-614B-6802-00000000FC01}20685052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11DE-614B-6802-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-11DE-614B-6802-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.199{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11DE-614B-6802-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.200{D0132419-11DE-614B-6802-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.949{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64753FFD0E327C881E4FC8CD7BBA6EEA,SHA256=AAACE115233FC510FD0061B4CD06F502AB253901ABCDE6779AD326ABD3866B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095101Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.919{601D2BAB-11DF-614B-1A02-00000000FD01}16044088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095100Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11DF-614B-1A02-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095099Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095098Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095097Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095096Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095095Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095094Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095093Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095092Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095091Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095090Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-11DF-614B-1A02-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095089Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11DF-614B-1A02-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095088Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.795{601D2BAB-11DF-614B-1A02-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095087Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.716{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA852F660CAC587C303E9744E9100B2,SHA256=7D07B7E0529692ED7057AFBD1DD903E10CB0EAF3B683E46F5251BCDF975328D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-11DF-614B-6A02-00000000FC01}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-11DF-614B-6A02-00000000FC01}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.449{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-11DF-614B-6A02-00000000FC01}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.450{D0132419-11DF-614B-6A02-00000000FC01}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.433{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5160A662A57351F7B7B30F29C65BC53,SHA256=9B8E2C3CC27084B5EF1358BFF7284D35AC074E07408DB134E02C8ACAB30C97CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:07.433{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F90170E921F8B888DD9AADBF5BFE9277,SHA256=34211C385851463F3C0514CB4B1A4635A3BC9A1660D384C8E8722EB363479EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:04.610{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095086Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.232{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=161436A2F8E427B335AC692D351EFBDE,SHA256=1879574B173D187E12AA285B63226CEA86CCB826710638AF677015BA19353EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095085Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.232{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED74ADA92E69E3833FB48F74D36F34E1,SHA256=E5CCF084054731AA30DDA3D3796BBDD7BF9C0845385836B61082F1E224680606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095084Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11DF-614B-1902-00000000FD01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095083Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095082Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095081Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095080Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095079Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095078Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095077Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095076Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095075Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095074Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-11DF-614B-1902-00000000FD01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095073Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11DF-614B-1902-00000000FD01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095072Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:07.123{601D2BAB-11DF-614B-1902-00000000FD01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095103Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:08.951{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=161436A2F8E427B335AC692D351EFBDE,SHA256=1879574B173D187E12AA285B63226CEA86CCB826710638AF677015BA19353EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095102Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:08.716{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1532786550745C8873632DDBEA2D3E,SHA256=868FC2FB11208AB45BF771EF2785B8D16BE1818813EDAEFB0321C6DC63954A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:08.543{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5160A662A57351F7B7B30F29C65BC53,SHA256=9B8E2C3CC27084B5EF1358BFF7284D35AC074E07408DB134E02C8ACAB30C97CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.193{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55879-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000112897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.193{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55879-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000112896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.090{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local55878-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000112895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.090{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55878-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000112894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.082{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55877-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000112893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:06.082{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55877-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 10341000x800000000000000095119Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.873{601D2BAB-11E1-614B-1B02-00000000FD01}33923276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095118Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11E1-614B-1B02-00000000FD01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095117Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095116Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095115Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095114Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095113Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095112Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095111Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095110Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095109Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095108Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-11E1-614B-1B02-00000000FD01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095107Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11E1-614B-1B02-00000000FD01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095106Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.748{601D2BAB-11E1-614B-1B02-00000000FD01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095105Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:09.732{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34138B922F43920947A509DE7A8E92B7,SHA256=34E722660CAA81046BE9467F92091E00360317731FFB00CBD5267CD922E88397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:09.168{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BEFFBD2C4DD7425F055A1F05B7F198,SHA256=835352DF11367C8DB320A32B179E399F577A455DE2E799BAF4B70D17BA846736,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095104Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:08.156{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095135Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.810{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3A9AB069B4C1DD2F6E20AA49638768,SHA256=D0E8AF53B91D1BE5071555B7276447986E2B79C76B5A4769F0108C304673F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095134Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.810{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED620B0F916608EA3E1E7D78B16951D,SHA256=57C07F48E72278462EC1B7D821FD9F2709B22322A507307E22F1446D9FE2D6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:10.183{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF97444778E156D5CD6102D41DED1E3,SHA256=16F964653AAC73A26F715BD5829F9DAD3C4C0DF1A44B1955EA4E745634AD2F49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095133Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.544{601D2BAB-11E2-614B-1C02-00000000FD01}37523352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095132Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11E2-614B-1C02-00000000FD01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095131Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095130Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095129Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095128Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095127Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095126Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095125Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095124Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095123Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095122Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-11E2-614B-1C02-00000000FD01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095121Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.419{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11E2-614B-1C02-00000000FD01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095120Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:10.420{601D2BAB-11E2-614B-1C02-00000000FD01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095150Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.982{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4634D0AD20DE9A7D411F82320C513764,SHA256=3307FC5988770551209A223A038078B57B5430A6C7F3A1D874160461E1C02F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:11.215{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D83B651C51D34CB6C96DCDAF9BAF6,SHA256=63779FA691517B4DD5DDF68203FF738367DA8AAD2730F0264737564FFA45FC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095149Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.232{601D2BAB-11E3-614B-1D02-00000000FD01}27563336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095148Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11E3-614B-1D02-00000000FD01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095147Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095146Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095145Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095144Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095143Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095142Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095141Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095140Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095139Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095138Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-11E3-614B-1D02-00000000FD01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095137Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.091{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11E3-614B-1D02-00000000FD01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095136Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:11.092{601D2BAB-11E3-614B-1D02-00000000FD01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000112904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:10.594{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:12.230{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C011593A9932DB75B6C5C2E2A84A44F3,SHA256=78E9261C6C5E72F6D116B063CD1DBE1CA85241C8D131E1EF71BC7EF6661D5045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095151Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:12.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9390F10963B7BC1712AAE6C1F36E960,SHA256=96C4A8FDBFD19456915C6DB29161F9E67BCABD597B0FFF6804287AF48578799F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:13.246{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497D214E17991A634A5CAEE19FF3E159,SHA256=9DB3D6AB46A30B9E25AE8961C4D136F5845E15FF2E4241DA23EBE4DBB0007A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095165Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-11E5-614B-1E02-00000000FD01}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095164Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095163Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095162Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095161Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095160Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095159Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095158Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095157Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095156Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095155Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-11E5-614B-1E02-00000000FD01}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095154Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-11E5-614B-1E02-00000000FD01}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095153Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.045{601D2BAB-11E5-614B-1E02-00000000FD01}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095152Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:13.013{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B3C4FFB0D5A6DB778CCF8972059B1,SHA256=36FAF48BEFA694C4255B159849F45D1AA6BDED97E65195885A3018A4EF244A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:14.246{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCEEE725E59C3FF8138747F4C87E1B1,SHA256=611476951C0F8B58CD8F802FF3B18B9183A02DA0473B1ED2D0CF9156F87B2ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095167Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:14.091{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E88AA2C4E989D4FA3F9E453A43D7157,SHA256=FDFD43AAFD4930A5D091B62A33B769998AF226D5DED8A2855AAAE881F141F1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095166Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:14.013{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3919517D980984DE0BDB82A4A0D1CD48,SHA256=96EB2E401E70E5010B896EF457726416324A60786CEC9F91D1CD1E3CE8413A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:15.293{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2AD1FB0E35E5B4383EAA45A30E94B7,SHA256=8776D709C308ECBA54F869EC0507A07DCD8BAD89602C2221862626690591549F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095169Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:14.000{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095168Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:15.013{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B13240C1033CA83E2BDFA0AA717EB49,SHA256=479D5C890278DB88E52F9F1285A072EC475638A9DF53FE01D6AF6CA2B5C4E3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:16.308{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45333D36E6CCFB0372E036F0308E6BFC,SHA256=E358C13E7A5DB0095A2AF727E74AE6F8290FBBC90047EDEB16ECD2C26BD7440C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095170Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:16.013{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E1FA8E9EE0D3995567BAF57FE8156A,SHA256=B7F118949C4E84089F80E09F7B844ACAF276C99DE2CE71E1CDA78CC6F0B13922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:17.340{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AE6DE27ABBDCD3F1B3A318D3799913,SHA256=47CBD86FB060D070CB89216B355AD3CA849902E50238A7EA3B23C821AEC7BCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095171Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:17.029{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1F660B3685586167C8486AA853C807,SHA256=9E536FA8DED1D05AE4A6443A90F7B7385018F8A75C18E41454839C235F465884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:16.641{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:18.480{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1805C43E41451CB01024AF053FAA11ED,SHA256=5A3BE53C9428395995D05D2046BA8840279A9B41DBB014F313B3B4121F338B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:18.480{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A3A234AE14B88DA8CE37CFEDD5A55C8,SHA256=5A6AAFFB2254553844D36DDFF206698986FCDB45586230CA6C3140012680B8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:18.355{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7333538C7A697AE9C6FD7596D47389A3,SHA256=C630B10866905E0C84C421302714691318310AF2B3D6526B105203AF321AC17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095173Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:18.562{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-053MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095172Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:18.045{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FC1CF83383733023A10D1806E7F7B5,SHA256=BDBCE293BC60C495B4D11CF67A7A135572C0C2E7A343F43F699100481A2560B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:19.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AAF0AE44D8A4D064C5279EBF0A1504,SHA256=BC80BF5591A8BA8BF24BFE3B011520AC365880BDAE937E6A84AA628403987898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095175Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:19.576{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095174Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:19.107{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10332361AF1E20B87F0D78A42810864,SHA256=C499FA6EE309303444A779E8AEC49D59B211E93B00B7A8B1529560B46EA3A20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:20.386{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6A42E542FF6EB880234FAF25452DC2,SHA256=3F2EEF25A5A73BF9DCC7F6D947C7DF97B1F760FF04C58B00474DCC3FC218F3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095176Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:20.129{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C1B5D1933BA655CE4A4600F57842B8,SHA256=F79AD630F879296BA66CB92544CFC16C3F4C369074A2CAB7DE4BDBE930A959C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:21.402{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3690592B293C28A719DFC395C01DD2,SHA256=D74F7C524279A359325604F003F437BA5EEA5CE8BA432241640CCC9123966DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095178Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:21.129{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB98983ACC5ABEEB4CE8B6F85D55B63E,SHA256=D0F9221A1344C45F27816ABBF8FDE081CD47C837F1A1E78B571C5B513C2D43DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095177Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:19.046{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:22.433{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73405E54C153C31CDF60DAA931D2FA78,SHA256=6702C25CE715B50CA79EC45B383C06523D196F9699567960A1D0B277829C19E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095179Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:22.129{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEBC918AD7627CC4081C5594A4A9B93,SHA256=479E655643E7351258A03D5B24B7E9F4508EB6B511D4E23CE89F65B807A44E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:23.480{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED0554989B77D59EC04E46BD7532C05,SHA256=4C7D33B9DDA19F5FBB68FDD3430C49A16720CFA7B922D58916D176DE4C6EEB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095180Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:23.176{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E47535CDC9DBB0DB8AE6A3401BAD53,SHA256=B89D7461546778CD032E527D394C999D330548286A56EA3FA96345B873ECD1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:24.511{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F75BE35DDAABA9C8E55B8AC8AE6C3D8,SHA256=5A4C868DCC2AA4A761796ED1A615F1DD7672516D7DD150EB5C49EACF7F616FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095181Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:24.207{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340114AFA2D74C0BD319447210947C7B,SHA256=5696EE7BEFB0F06658D86354BC697D640B4DEA82E3A04AEB7EC3EAC1BF65A49E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:25.902{D0132419-04CF-614B-0D00-00000000FC01}9085648C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:25.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F50501D8FA0D798CECF9E2E712B8CF,SHA256=CF52B3A3CA1D15CFC553289F19714D975290A75B446130C24EAD4941FD7C7B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095182Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:25.222{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0723B84DF9AD80906E0447E718AD7D75,SHA256=48A6FA8684A78A28B1F0DE5D809EA1F2A6E8ED8287A0DD654917353A2DD3EEB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:22.641{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:25.074{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D7048B0278AB90061CEA5E178A8CA95D,SHA256=37DB6B6936E9F2148774672C5055E2ED7DB0481595EB2839C870DC16843E4B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:26.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2523C273CDB675A08A5A3305FED44A,SHA256=C79F43C627634D10201383B22D05D5F54B540BF72A29CFA2F0AE4C227DCDFDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095183Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:26.238{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B568171B5A65EF0C5A797844CB5D808,SHA256=6B1717769A8EE80EEEF8AC6A598A7C1C433C5007F55CE584A8709BC5FAEC95A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:27.590{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168C4AE0F7396ECC46C72D560B06C485,SHA256=21D0434D3A057E1861AACDE11024F1B628E3F6AE3E361F60CEF8DC5682F1EBA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095185Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:27.238{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD501F3338CB74FE04A06B45694B4C9,SHA256=15F2953A821CC67778D135826B1C6C547991E25E0E6F4DF97320829F434CD9B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095184Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:24.990{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:28.605{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834FEA3109B6840795F51238278D87F0,SHA256=AC30B4F347811A10B1E4ECC5D6C5CCF018C11837342C96AC08165D7EE6B188A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095186Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:28.285{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D77FF7F6250C385D365FE261F947A04,SHA256=9707A3F8D3C4F0C60152620C39B1B53BF7933C29BB9EA973EA237C4BE9372A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:29.636{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364DADE03D229D24995BF3AD057A6F32,SHA256=8E7C43941869FA68819A884EB1D0FB082E2AF108FA654DF46F24BF45516D4CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095187Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:29.285{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7193968A2E47D7F641A1B8E6BBEE85,SHA256=18D87879605BC46A72260745B1C55AF00AD4CB9CD7347AA1EDD5413FFC7D884D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:30.637{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0E3F0ECBB556634048B0148CA800DD,SHA256=8487B725C072C230DA4D39F74A47C540111C07001782DED9FA1606C49867449C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095188Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:30.285{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFFFDC90BCCF7FE41D7B091CDE34DA1,SHA256=66D325BA11D974FAD8B7CE475BD52EC730639C644CC34CDB513907918CFC5B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:31.652{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E556998864545AFE561E7A3C2B986195,SHA256=7A00EB53AA6A31123571D710556828EFB324EC801197552E3EDCA27CDC601C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095189Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:31.301{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4464951FDBAC860B1ABFC19420EF2178,SHA256=F79E9394B9C93A61373D386B4C0AA14D1D07359352CD2100AF9F0E3BB6AB0846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:28.579{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:32.699{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716E444DBDBAD5206499483EA1C28370,SHA256=7553EEC390BE45B813B4F5E957E0B45FC7B5CDF0673473349F3D1BA67EB8DB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095191Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:32.301{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633E701F438488A1622215B5805C8D6E,SHA256=14C935C26AEF339D393FC91F1878120209E879E95C5283B0472B1174BB7679B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095190Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:30.153{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:33.730{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815F6E49D0C4A6D237BAA37F9A94B636,SHA256=C4F1F1157C1B179CA1C98B61AD2C5BEB6A43BD981764084FEEC308A73E36C7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095192Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:33.301{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFC348F9E34B6E06B322E2824494395,SHA256=6ABD9A0A1D2B83C143E18515CBC6FFE60D7CA2D07FDC34E784CA6CE50AA587FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:34.793{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B50EAEEFEB5DAFE0FA98249D1F7BA56,SHA256=48B4D9818842E0650D8E425DE785FDA67992C81000CCEB3FC881242E0DCAD023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095193Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:34.363{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE457F7F3E5A2C9F0B00BD10EC8B346,SHA256=7E5FFAC4DFBA448840105B34A9EBA2B370C346CB4BA3A545BA33ACC35552D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:35.808{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9E2F6F551F0EE305C27DCEABCADFA3,SHA256=39894412E123398B711AF9D9BD6CC5EFFFF8DAD05DFA2ED5B98F45C0F5DECC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095194Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:35.363{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A76A6ADDFE486C884831324D0D7334,SHA256=12E9390DFF94DCB6427FC71431DE8CCA94869B2FF2B0A401A164C635C6887EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:33.734{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:36.824{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2721051296EF271774D4DD69350D8F0,SHA256=E92670A2BEFE6E3E11B4CC1A1BCB60EFA946F487F09222DE56DEA4C94AC2F18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095195Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:36.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A894DED52E90C02C7BCDE8A7FE32952,SHA256=272044563025D08C0C11B9E3E34C28778D8308FB455FF899248A8AFA5CAC535A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:37.855{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAA40A58E8088E16992C50B810E267C,SHA256=8879F3FD09AA6EF837990DDBF8C3F09A3570F65786ADF58A7AC7481B0B1362A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095197Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:37.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FA090FABA9B172C896C3EFE4164C47,SHA256=54A9BA93DFF68AD0DA0122E163C7C617DFEB435B1E6865EAFEBD5E0210B09614,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:22:37.511{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa4-0x25d7de53) 23542300x8000000000000000112937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:36.996{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095196Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:36.131{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:38.855{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D3A573236C6F553231C200E3C6EE48,SHA256=9DEB59C49575B5192DD51A80F9BAF596BC4D95023DB395AE03B6E41F1BEC8819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095198Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:38.410{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1933DE5AC5B4EA457F9E2078A12BB8AE,SHA256=C693D7A0874F801A8E3788ED65752EB2E17D45FC5F6C07F8577AA7724808EBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:39.871{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90C9E5B8C5BD39E35F8748F87217EE5,SHA256=2C0A460B1C2F8B7B9FDC637C394595A6B6BE8A316F602B94EAB4AC5D646B1980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095199Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:39.426{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E893AC8891BCFAA2BCBE92498929DE,SHA256=554831A037ACEAD24201F5FD5188AF26B094E0A4625FBF756013B84EFAE1F387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:36.984{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000112941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:36.469{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000112944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:40.919{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530DFB88D11B6809AC953E38B3A609A9,SHA256=0666BCF696E070C39BCE9F386B71525B204914E6EE5D7B1AD5FC6EF9DAE7C477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095200Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:40.445{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15ACC1CA724166B8393915F000509A,SHA256=93958CD9DEB194A640B5DD61B3856F1ADA0D19934DF2C3366468D51177B3AE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:41.965{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5616610F34EAB507926D32DC36A6506,SHA256=FD06754AA6FCB18FFE0AD84776427A43EDB4ED52159ECD29CF2740B2AD7C42AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095202Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:41.992{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095201Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:41.445{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C750D71A0AD3D614DBAFBFF1917FFCDF,SHA256=532100EBA8B375AA739944EAD5B6B3142D394B84806D1505D2557E40F284E0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:39.609{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095203Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:42.445{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C4F1BA72783F2AEE042A7CC95437FB,SHA256=2F9569524F7DCDA17F6A789183FFAC416D28C13AFA8C0BDA67E16D475031F508,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095205Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:41.932{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000095204Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:43.445{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5919BA305709A79028E3F828D538E205,SHA256=7F0F94E2BC5383F02F2E2B917385C8B0B1632E833E3DD4EDBA00E00485E387A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:43.027{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B98EBB8C19CBD24F175AADD2451C92,SHA256=8C4A94E0ED752E43FD0D598C93ED94F9F6DF55F66D2DB054D386646CC3068EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095207Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:42.025{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095206Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:44.445{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE50A66E7AF185DF0C4D8CB2E3F58C5C,SHA256=AD343CAB739FE48210612D016474D6BD6DB4BD7A45E3487CE3FEF72BE574EFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:44.230{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC14CC932A1FCA582516EF5CE86F97C1,SHA256=F17613F0CA18A85803315F436F0FAAB111BB30BA7FADB561B30DC1BD98203E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:45.277{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026652E66DFFA01D8B7C2DBF6A8FD667,SHA256=ADED5D1E61AD4D78ECA473720172D1739598122AFFEDE4616FED9FD7FB8B1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095208Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:45.492{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B7187A1040AA9BBF58A9B52EA1E3AB,SHA256=553769764E67024C18A6779793930668EE4DBE69080293486F31DEA58D4B0157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:46.308{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86364D50F15BFFEDF3227238B69DAF8,SHA256=1D0DE28F98AF9BA42398E1D15F476B007A70D872CD96E8659B7E63C397017AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095209Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:46.492{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FFBAAEC4F4CBD47DF7DFCCA3685BCE,SHA256=527B3A2E23A80BB654EDB51F4F8DABCA60C58D4AF02316801D8EF3D40C67015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095210Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:47.554{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7005735424EFEA17F88475E61B85AC6,SHA256=D9E7143E5E7DA393B6B227A8B7F91C26FDE6DB7D0899146B988F6D9E1349D9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:47.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D1B981E5A12362B96059CDC1D006DE,SHA256=31A1A03D29687D445ABA7EB6E1532071A002A7423957951C6B85B42FB20D6984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095211Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:48.570{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A2C584FF53C60E74AFEC8B22D3175D,SHA256=AF3C2B40CC7114D3E6158FCD1CCF5E955B60E23DB4EC8129E4E46297EDF0D419,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:45.578{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000112952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:48.386{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DD13260FCF57189AA8F43327096994,SHA256=E3B1F736F1B3D8C0F0481236570D3D50E06ED54857F6EE3D69E34E82B6F2E812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1209-614B-6B02-00000000FC01}448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1209-614B-6B02-00000000FC01}448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1209-614B-6B02-00000000FC01}448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.543{D0132419-1209-614B-6B02-00000000FC01}448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:49.402{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F673F6C23C31666D8034264BD2B37F0D,SHA256=BFB3B6128411DD930E04F36C036A1BC30490C2C7BD35525DD20B39FABC1C61CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095213Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:47.072{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095212Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:49.570{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3F05F2DFDAEDF72051572E3764A923,SHA256=B76C0FE42378663CD17CCEC64FA9D373B70265F1991CA774FF3766B4A4552C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.636{D0132419-120A-614B-6C02-00000000FC01}44804524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000112973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.558{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AED1961177C69A0FE39233CFE57F35,SHA256=1B357B8A7274951FECDC9CA8CD8C4CAFBEA0D620906ABE6685BCD1E706F4617B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.558{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1805C43E41451CB01024AF053FAA11ED,SHA256=5A3BE53C9428395995D05D2046BA8840279A9B41DBB014F313B3B4121F338B0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-120A-614B-6C02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-120A-614B-6C02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.449{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-120A-614B-6C02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.450{D0132419-120A-614B-6C02-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.418{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC1B66CEA27B16D0D349099B0145DDE,SHA256=468055C77B7E83A7C7833C8C157A11340414F79A6E7C7AB761E4D51951FE9C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095214Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:50.570{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC7E0D3B0F77FC50207D712573C2D3D,SHA256=446CD7841A7FAE90AB16CC81BB1A99F13B69146006E756F7D977310C4F9CB998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095215Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:51.586{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73E4809B687F217A248020E55B96224,SHA256=F6071A4782F08118FB54472A12B1A76FF5CA2839FE3104365DFA1AD91BC08F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.449{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64F9A506D669CBAB8B6152284F5AA76,SHA256=C9E10F74906888B1C747E1CFBD0909344BA7A751B54DF4BBF4E6B0AAF0309B23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-120B-614B-6D02-00000000FC01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-120B-614B-6D02-00000000FC01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.121{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-120B-614B-6D02-00000000FC01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:51.122{D0132419-120B-614B-6D02-00000000FC01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095216Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:52.586{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ED60FC0E21E8DC2F486BEF3A411F31,SHA256=10C0404F73C61A767178E310ADF5125D9E2A03226028D8FAB5AA473E87ADAF3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.484{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55888-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000112986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.484{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55888-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000112985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:52.465{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B768F13D9008DA0D7996F27F0545C05,SHA256=3DDCD7C23BBDC36EE1F19519931D84E4202C25B964728BD49E3389BBCDBB79C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:52.058{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AED1961177C69A0FE39233CFE57F35,SHA256=1B357B8A7274951FECDC9CA8CD8C4CAFBEA0D620906ABE6685BCD1E706F4617B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:50.687{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000112997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.730{D0132419-120D-614B-6E02-00000000FC01}46326048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-120D-614B-6E02-00000000FC01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000112991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-120D-614B-6E02-00000000FC01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000112990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.527{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-120D-614B-6E02-00000000FC01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000112989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.528{D0132419-120D-614B-6E02-00000000FC01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000112988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:53.465{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBD1379D84396DBAD43990D5912FB82,SHA256=B2823C248C3F228C1D73D2C0CB8B43BAA17F8073CAE1B0A6847773DD1C0457F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095217Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:53.586{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9AD37D631A7312AE2B6DCA1D1B78B6,SHA256=730FB9A6BDF3B615E654EDEA9A3239A550B8F4728A030DB6543BD395999FDBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095219Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:53.057{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095218Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:54.617{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BF24A05C615F7CAFDD53B0B7621DF5,SHA256=E0B27B06E6D4E929D31190681BAEE248D6A877657B1E9E28A17CE90BEA792B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:54.543{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=665497D3B275BD6FCB596B0C84487E5D,SHA256=36DD7AE31007EB42F4B2DF07BF9A126A61EEA9412DD4CE54ABF44704A7721212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:54.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9C49D02E83BF10E3E4145DDD3685F9,SHA256=F66058F167A0F044CB876A42CCE53137CB6EE6F4109224081690D87C8EDD19CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095221Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:55.633{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC462B22B0FAEA87EC7C868D6A17A45,SHA256=AC90062ED5D06843C4F74F86E3CF51D154EF3A86E6E5D980C9F7C47BB51818AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:55.558{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2C38FDB2CAF9C96AB2AAAA394CF1A0,SHA256=231E375D24582EFCCF0EEE92073ED6E0C9510C1F5330819FCDA07F37AA45CBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095220Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:55.304{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D64486EC52A53DD459EF2EDCE8FB623E,SHA256=1EB9742B1988F57D2C0E333A620C9903AE4F7020A473BA4ECCABA7DBAD21CAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095222Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:56.648{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909B1F9FC721F52F81EF91A060D6F452,SHA256=7CC67B321C0A5CC06A5F8BD5DEA49CE043440244D145302C0142C1A1869D5C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:56.558{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2D7D124873A5DBFDE33C912DCF4D83,SHA256=FF0476541D56BAAA81719950B38006746EEAAE7DE2A722B1BBA7BC04FD41E1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095223Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:57.711{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF9E347DA6812E8DDD7C694D5665820,SHA256=AF289EEE2C47A09C75F75B316DF8A1AB5E709703ECBE2222AEE02BFE69261E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:57.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B1B81A3732B8B93F6CB8ACC680E9A1,SHA256=7AD9B08D6E039AE938BF2A5D6EC6AF373EE391B74F548F225FCF5D2079F96C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095224Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:58.711{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A339663FC2029B47419EC37BA03B115,SHA256=BC6FD07D8694BBB87BE39DE4EFB111AEAD553E4B01F8414344C2FEE1DE595326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:58.590{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A976E1A2568F4A8322742A07F41F16A6,SHA256=96EED521264B7FE1FB1AD254702D02EFB1C46C7B62D6E6329312798E74D4129B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095225Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:59.726{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD56CF99C171C0F977950948A276475,SHA256=C9F72DAFD0CFB351553EB7F39AF982AEC876397FB9F6E76839F0446FE26E2867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:59.621{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3117CF7FAF15044559A924577CEA51,SHA256=D64D019A9ECF356CFB20DC5E0AF8D6FA0382440FFBBD99C8EEAB2BCEF89F3E9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:22:56.593{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095227Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:22:59.025{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095226Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:00.786{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AB76B903029D1C9C3D4E78AE7C12B8,SHA256=6A091E0EACF1322EBAC1B6F3CB814F9E83A0847C85F198E61A51FAE7CD3FED76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:00.636{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66ED319A759DF50B3E31485FFDF0EB87,SHA256=E9F6106445EE4A76DEAE44D3E062B601A31BF984C1F73339A659737ABFED824B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095228Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:01.802{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8B1FDACCA6AFAA1B3FE09147C5B86D,SHA256=02024C2669E23ADD8509579A026DA8681699023D46CE4FB61B3269E62D3D1DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:01.652{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBCD11664B5CD0E432D2292D4FBBE77,SHA256=5B4B68CDC8C0B1BC5E7C8C939DC2BABB0B9360D96324ABFBFA8EF3FB30FE174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:02.669{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38BA7DA677574EA1C0EE5BDCB9834B4,SHA256=B1E2603A463CC1AFBBCF682221B03CF4C236C01F4FE7F56C7896361F31D9E1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095229Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:02.833{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E6EFBAE608320E18B9ACB2F58A602B,SHA256=53E5BE576DFDEF78ECF8CEE4005C86E8C112553DEF59F4879E680CAC81C47209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:02.577{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-054MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095230Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:03.864{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42025EAC174710C9833592E7160D9037,SHA256=CF17028C4BEBE1F985F9EDC720CF73452ABFC465798E4EF6B685B6FEBE97F8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:03.714{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD57738E80CE6B2566FBAAC4EC1B719,SHA256=66A61DB88E7FDA971E84FD88A9CB07366D555782FE57DDD01C144EEFCB4142C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:03.592{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095231Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:04.880{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A1D8B976250EB7BC4402AD72C29E96,SHA256=E9C4A573B3A5A63EAD5F865DF91BCA0C05D964F752E3026120E0AFA8C5097FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:04.720{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58806D16BA7EE43B4176C69D60D91EAF,SHA256=5F03D724FFE26C0F362257215A7E73E0A0F7A0F127CDD8DFD86F9A4684843882,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:01.642{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095233Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:04.070{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095232Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:05.880{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCD8447E6F11634F00AC2B7F8BE918C,SHA256=38D41AF76CD7BD9CC66B9558D3F17F2D9372BC14E44E474BA02186BE7CA89748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:05.735{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FFFF6FA3CCB200BE9BD0E8E6589D3B,SHA256=36E0F59190E64D2B8C2B599CA79CD76A2BF945E50166E23363AE1FCAB683B82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095247Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.880{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEC511529C34D35A9E4A38BD5FC50BD,SHA256=E7FB0ABB5456B374F21FB24A41FC0C28957B815F60C9782AE46ABC9FA89515CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.891{D0132419-121A-614B-7002-00000000FC01}43845892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.751{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC185D7643A614F27FD7AF98A609C532,SHA256=5984B0AB877E2D6A5B948899E263B15353E4FC61F883259FA9CC80719888BE8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095246Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121A-614B-1F02-00000000FD01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095245Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095244Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095243Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095242Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095241Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095240Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095239Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095238Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095237Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095236Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-121A-614B-1F02-00000000FD01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095235Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.177{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121A-614B-1F02-00000000FD01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095234Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:06.178{601D2BAB-121A-614B-1F02-00000000FD01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-121A-614B-7002-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-121A-614B-7002-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.688{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-121A-614B-7002-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.690{D0132419-121A-614B-7002-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.454{D0132419-121A-614B-6F02-00000000FC01}48484112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-121A-614B-6F02-00000000FC01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-121A-614B-6F02-00000000FC01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.188{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-121A-614B-6F02-00000000FC01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.189{D0132419-121A-614B-6F02-00000000FC01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095277Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.942{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A251AF26FA6097C83E4936FF48A28E82,SHA256=9BBC8EE4987B245FE4A1ED1A82D770B7A1384AA87CCC3E5034B3F2697691F14D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095276Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.927{601D2BAB-121B-614B-2102-00000000FD01}17283676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.798{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237A45DBCF9618A005F8574E79B95737,SHA256=012B04526694E583E3E5F764BF698EE9EDE15CE65AC39256D4D815521AE9105E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095275Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121B-614B-2102-00000000FD01}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095274Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095273Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095272Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095271Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095270Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095269Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095268Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095267Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095266Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095265Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-121B-614B-2102-00000000FD01}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095264Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121B-614B-2102-00000000FD01}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095263Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.802{601D2BAB-121B-614B-2102-00000000FD01}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095262Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.192{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1683A9A895F103445043AA3608C90139,SHA256=190B02BC85B24ADD56EDDB78CB51A075CD1090EA6DCE15589C0AD20FD98E2D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095261Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.192{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C551750A3461AFEC8C9C522E24BC6A71,SHA256=34D712B7999C5243BA1D1A89DA702F8A0333DFCFCB450AC91D945690BD717094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095260Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121B-614B-2002-00000000FD01}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095259Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095258Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095257Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095256Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095255Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095254Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095253Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095252Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095251Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095250Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-121B-614B-2002-00000000FD01}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095249Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.130{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121B-614B-2002-00000000FD01}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095248Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.131{601D2BAB-121B-614B-2002-00000000FD01}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-121B-614B-7102-00000000FC01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-121B-614B-7102-00000000FC01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.220{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-121B-614B-7102-00000000FC01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.221{D0132419-121B-614B-7102-00000000FC01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.204{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EAF8BDDF4AAE2593B69AFA59315D8C7,SHA256=3A7EA7F6F655BE2F437A6DB62B378862B361039B5C7A3CCFA0A78BC2977F3A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:07.204{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4A22C715BABEE8C956399D4085B9DED,SHA256=9A9184D2085BAD53660B1F74AB5B8C6F55093D81432E10FCE39953397F13E0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095279Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:08.942{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7BD473987D634E8B65AA67786FBB0C,SHA256=FDE142AFAB4E79D5F232F919A84C650CAA015663CD15AD486C0FF5783C2DA342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:08.813{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1A803C749C76E60CA886144332C3D4,SHA256=C64D1F4EF8C12EBF58919B2908D0733026F82426C87BB1E3C7700DD253EB684F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095278Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:08.817{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1683A9A895F103445043AA3608C90139,SHA256=190B02BC85B24ADD56EDDB78CB51A075CD1090EA6DCE15589C0AD20FD98E2D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:08.282{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EAF8BDDF4AAE2593B69AFA59315D8C7,SHA256=3A7EA7F6F655BE2F437A6DB62B378862B361039B5C7A3CCFA0A78BC2977F3A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095295Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.958{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A52DEF50CFD062CD76077BB84370CE2,SHA256=40D0C0BB7EFF4232BB25D7997A9290341688212F3372F106D7E72863C62B0037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:09.829{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1105D88094F1D123C03B4213F832B2A3,SHA256=27311E77A6C0ADEAE7D8DE7BF0B4BD144272F300BCB1C7C2B11454E29970C10F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095294Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.880{601D2BAB-121D-614B-2202-00000000FD01}19883724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095293Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121D-614B-2202-00000000FD01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095292Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095291Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095290Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095289Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095288Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095287Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095286Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095285Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095284Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095283Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-121D-614B-2202-00000000FD01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095282Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.755{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121D-614B-2202-00000000FD01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095281Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.756{601D2BAB-121D-614B-2202-00000000FD01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000095280Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:07.504{601D2BAB-04EE-614B-1000-00000000FD01}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.122-65082-false10.0.1.15win-host-301.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000113048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:06.677{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:10.845{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AFBC2EAD6EA57794E73E978F56496D,SHA256=F9C9DD18BD7087BCBC789339BA51A21C34EF955A88755312DDBDF59F0F10D5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095311Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.974{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C363C7B99C8EBD24BDFD697C5ADB92,SHA256=39044F50587CF9D0AE593D9C51C430096008D9157B578D20DCE5143A412A8A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095310Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.974{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C585CD82176C4FFD09B929FF2B92C75A,SHA256=F165DD445F88CBBE36AECF2A9362D6A1716A3529CEDA97A0221AAD395065C290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095309Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.552{601D2BAB-121E-614B-2302-00000000FD01}10883664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095308Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121E-614B-2302-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095307Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095306Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095305Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095304Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095303Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095302Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095301Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095300Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095299Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095298Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-121E-614B-2302-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095297Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.427{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121E-614B-2302-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095296Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:10.428{601D2BAB-121E-614B-2302-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000113050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:08.342{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15WIN-HOST-30150491- 23542300x8000000000000000113052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:11.876{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD39675370931A4226CABFF55612ABF,SHA256=C98C20BF237AF691B5B15BC37BED457D47EA81CBCF80A68ACE7050B28D3E3D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095327Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.974{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B4DC94ABC3DE96EF1943DC96F72E79,SHA256=FAC9C4D52C4B6F76427B406B11BC5190C760F78EE767577F491F81C9C0CE0B4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095326Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.239{601D2BAB-121F-614B-2402-00000000FD01}23922928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095325Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-121F-614B-2402-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095324Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095323Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095322Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095321Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095320Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095319Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095318Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095317Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095316Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095315Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-121F-614B-2402-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095314Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-121F-614B-2402-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095313Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:11.099{601D2BAB-121F-614B-2402-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000095312Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:09.179{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095329Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:12.989{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BEA3BB62E4DC89696E2628FF9D30CB,SHA256=3FD0FE152F1EFDB0573846449D7F7102F92A73BB353E56671AC6A6AC15D8D8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:12.891{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA1F8665ED0A2420174EBEBE40A640D,SHA256=F0CE81724AD48BFAE930C21713B1DF20122DD2EECA486A167E542E519C69C8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095328Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:12.317{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C6EC43DC06841CB59B1F6E5A6932D29,SHA256=302DEFCDF1100FA4395AC24A4B993B9D4C8C87E6323BDBB2722656AEDE4A670A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:13.938{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F6104918DA82582DCCA7BB89C4E23E,SHA256=E9CD0D05D5863A1156ADFFE395B28651366CF30258DA9C93A1CB72A23A75BFD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095342Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1221-614B-2502-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095341Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095340Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095339Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095338Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095337Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095336Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095335Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095334Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095333Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095332Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1221-614B-2502-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095331Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.005{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1221-614B-2502-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095330Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:13.006{601D2BAB-1221-614B-2502-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:14.954{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD3CC6B60A005F19B6DF8EC78B3F3C9,SHA256=D07F658B3ED408B10C5F457043A986CDC191685C59B936E1AAA57D777D1C28F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095344Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:14.005{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62085A47797EB89DB6E3675BBC782F16,SHA256=DA346E328A265433C78B7A25080F1ECB3449DD79243FBB7B3BFBFEF9DC7EF2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095343Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:14.005{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CB9CDA518F5A8682E03C006CA040B1B,SHA256=548D44C4D3D0E39908A513695CBEC3CD1048C0E49CDB5526BB572DC3D3E4D22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:15.985{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B71BF4F44467C16D2EA2A623634A24,SHA256=FB5E5EF930181C700631612A3905AC0137CC3ED7E260337920FF914D9E978FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095345Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:15.021{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFE4F843529B6ED8DB883ED5DDA273,SHA256=766A53D4437DA80DB0819834A8F4E7D9E3D4BFBB65A5027A408D5D3A5ECA0DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:12.630{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095346Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:16.021{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6DF59547C1039FDBA3767AD8BC9DD0,SHA256=71C23159FA3309F7F7DD88264EFDF614EBB226DA8753F4BD2739206D09D64566,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095348Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:14.961{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095347Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:17.052{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02D9CAC9C73651A3FA219A45BDFEF18,SHA256=6C61B65DD878AD0F2D98F724ECF6BA93904223B8E78A7D7B7BE37F9D1942EA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:17.017{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8737DC9F988F2CEF9901D505994A44FA,SHA256=C0C1BAC0823CEDBCFBF47AE79CFBDFB180F8B76FBF6135A9F4A37D33DD3E704C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095349Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:18.052{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D53A9A257EDBFF85F6D4E50A49E301,SHA256=29D7984EF51032A3A51FE23B5559D2C40F895E3CDB940D649D9DA0D861E68052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:18.032{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7167E265CBE35E8FB21CBB2A1525AFE,SHA256=A738AD9E53DD75E66A0281DA8077482006BD29EA032A834097F36FADDF816C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095350Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:19.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF330850187BE50DA2EEBE27C567F434,SHA256=56004F8AB0EEE26F2F69E2EAD173EF28A260CD8881CAAA6117FD842A4B17E50F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:17.723{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:19.048{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896A31F4FDA674667865300A2507B34B,SHA256=12CEA43E00E6DD66D57A09EDEFD66FB8990A3E9706F66FCEE9F29A8B1984FF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095352Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:20.105{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E79B2E2E2542BE35DF04BC8402EC2E,SHA256=DE17CA1D52290D4715F7A4831EE7369238C0EC7828D2F74247E33210B156382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:20.063{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09571A6EA22F5275EEDA3F9EF587440,SHA256=D6A3412EFE38D0E649663F08FF60E51794696A29BA73D082B355CCCB6F4C793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095351Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:20.092{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-054MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095354Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:21.111{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4773498383AB9E9B56074E2293A120C6,SHA256=6E5876B24F84B4E94E252BF8B84B5115DDD90A193DA32275E6EF659F442CCDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:21.079{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0717D694B6C2440B7163711095D4E682,SHA256=B18D38F03621B6C83F1A2664AA656B4F327C583F16C3F92B6D309853B2FAB8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095353Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:21.105{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095356Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:20.138{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095355Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:22.150{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E3839457A61FF57BBF4B03D271AE35,SHA256=3CC81141B0C68DD9028D837BFD7C6BE218AC080E5E60C3553FD6CBF3EA33E426,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:20.334{D0132419-04D0-614B-0F00-00000000FC01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse144.76.70.162static.162.70.76.144.clients.your-server.de49997-false10.0.1.14win-dc-639.attackrange.local3389ms-wbt-server 23542300x8000000000000000113066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:22.095{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16251CEB6A985636119DFD6DB601E72,SHA256=865BF0E8A91B82F74D4FF5E55BB7F66D89C1468B9D99FFD9D754A1D712D1C95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:22.001{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA891EC8754FFF5C14706E3C8CC3BE07,SHA256=98E7044C19C01DA3F5A2BECA76C975AFAEA3C4B6D2533D7F235C883DC36BB881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:22.001{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FAFBCD64644F36E982B38577B168BB4,SHA256=F383A7C87A528568EA7A7BD065B92F92E8FE21CC57E8933BB388FAC8ECCFA281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095357Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:23.150{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7612CAC04FA82444ABC5C8E1E2EBD9FA,SHA256=A86DC30A243F43139CD4BAF634F21859FB0BD36CAA20BD80B0E3E86923B40D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:23.110{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5D1C143D939EAD051D5EFFCA90100A,SHA256=7E9FDEE3CAB01418EB0EB77B28030001F999F8B73F141DD90A3C92ABD9EE020B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095358Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:24.182{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4C383BFDA4197E35014E0DAF6BA88A,SHA256=B83676BB0D4608464835B8A664EE1D958D762820D358A60E37447AF49854D34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:24.126{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4776AC2A499E2E84F6077E3749F4799E,SHA256=A02CE94CF4DE373850C5F9E86F6FAA672E7A9314A0B59A225689AD2DB4AFD185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095359Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:25.229{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CC72A25D526C588F5357E5CC74AB3A,SHA256=4157541A5689FBBF9424723CC0D69F3A6D30AF6D871DB635CFB17C7D430EF5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:25.127{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF299976C1DC1C51D1F7735F564FDA1,SHA256=80D755C2FD2B088DDEF6A411D688820CC208367EF055B53E87FC41ED8F159E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:25.079{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4C990916787DDB491D73196F04D1EDA8,SHA256=289994E494E729BB2813B00406BDFAB490AE1236DCE57EB8BECC6AAE6D1C2B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095360Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:26.229{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DD02A8963EC13BFA289FB7B9259865,SHA256=BFC938B4485CB3A4E96D3FAC285AA9339A0CBE5AD29119B8D50BF70E97DA233E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:26.141{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEDBD1631A79EDC0C56AEC1E09121E3,SHA256=836F1F33B3FFBBC61FEE58A5EE3BC483CD26EA7AC458048989ADAF1764B955C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:23.661{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095362Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:26.075{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095361Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:27.244{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC8F56860B81EC4B49C4009B8DA932B,SHA256=0ACFF5053F036677009DD9C2D7E02DD89C067F79F12EC1CA9DF059797461C348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:27.157{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B817C8D6DA56BC8A4D50A879B40DB6,SHA256=D580CED7C131649336CC6A028BE1CA7E36500420FB48652B098DD8C4FE2E3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095363Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:28.244{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D00B0F23175930E19CD3F0B66D09B1,SHA256=ADB9EF6FBD754053084C31FECB376DF4CF8A4445644774DE0C84360A27C6EA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:28.173{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5652F6AFB3CA1991FF980A26B9E10EDD,SHA256=181A6161E576BC4743324309D681751EF44DAC07539BD13EEFDF36450AA6951E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:29.173{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4298D1E78829E83542B0465327D73DB9,SHA256=BB564932BF0B5E1ED9CE6908369936F3B70AB442ACF83E667DDFFD1108C212FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095364Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:29.244{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E39D104106C735BAA0ED4C5804E014,SHA256=C7A709A02708059374C52731817239BF8815D0AF9391EC5DDAA696433E6AE868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095365Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:30.244{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2E9B841AFAA17010ABBD5EA4A6FAC,SHA256=C2F09B00A003CC4DC8D5E8D367ED9C82EB0CCB9188C71B784F3F4C6D03D6FCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:30.251{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334FA75FADAEBFB28C384425F98426B9,SHA256=EEF7DD888A7934F2C9CDC06B9CC8C3D9A4B4D9353F836E1ADAA82CA9AB993570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095366Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:31.291{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529C11F025E43D84261B37DD6623A0FC,SHA256=761587726D619D7E79ABF897B8088A5E209A12EF1162F0A3F1C3FB90E51B7212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:31.282{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB716413E722F25AC0707B790C8B2C6F,SHA256=E2D7BD3696111921433689BE59201C4F78A2AF4BBCAD908299D5C51838E2857D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095367Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:32.291{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0133B795532BC3CFF4FF2449E34CA22F,SHA256=104C75FD7F6E5C403FD053239D69F21762C43C1E7E815087B1CBF0A5DAECF43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:32.282{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C824DBA2A0686D97FBB4836661C9EA97,SHA256=CC50ED68C6A9E144C62716BD1BE0A41F856305A55C996AD418D6F3263DF24F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:29.676{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:33.298{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48C153CD3B6902C5793EA2957E1999F,SHA256=70DFC21DC707426357CE259CA425C9BC2A6223948CAF60D75789E4B7D7D563EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095369Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:32.028{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095368Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:33.291{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6341CB1270853D00577BAF6E88403288,SHA256=FD3ED3EB2CC5BC9BB6A172A8F26A00E85A12C574BE23B3B840686D614D4236DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095370Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:34.291{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488843FFCF27449B6A6CBAF2C9BCE99B,SHA256=340E1163061E55B3809DED5E67A852A88D971080254DBB5A464026986A4775BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:34.313{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE90E346273492B8818FF9CBEAF146F9,SHA256=85869EE1B1DE8C4BC6DDAB32C536E165982E571ADE827F5F16DFED552A193E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095371Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:35.307{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F059F5F74391CE771BFC8B1FAE47B75D,SHA256=47C82D455506B389E41B529DB7924E453F74B6947B17A83F2C88A4068AF5BEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:35.329{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CE3FB4B6BB65B17CDC427003A232CF,SHA256=FB54F9B255CF46F7A270844F1A02159815B4C8BB4721A65327ECB230479259F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095372Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:36.338{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF603AC0B82693478AA31205D1AB294,SHA256=4C5477EDEB31B9D2F4E18DDCE10D2569B9D6FECC04EC71DDFACDAECAFFD3D223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:36.376{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7C6245DDA66B62C45026B55CEDFE21,SHA256=4244461D2196A23FB80B40787D168F9AED974BA4215BDC6F58E87D8ED8FA4EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095373Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:37.385{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260FC79147F468CB07BCFBA68B48FEA7,SHA256=CC21FDA0D832E201F6D53E58E8479AB9FA4DDC6506572183B93316A35A00FA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:37.407{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFEA08AE312831C225E298E6882B49A,SHA256=1BC8858F2D31BD10CAEFD1FEFD82DAEEAB290F986BB387D33792ED7CA0989610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:37.016{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095375Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:37.044{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095374Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:38.401{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F303A4F2EC70DD52B560FE090B161C,SHA256=11DE6AE38A103CE6566C8EE9C64E60EB416D41A3324631EB0FFFD4DDEDF59A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:38.438{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A092D96BE1E6B00A2CE63FC0C0A80E,SHA256=8B781C45733391D36A895209BFA7377E61673EB77D6808D319F82F3D9CCC47B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:36.489{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000113087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:35.707{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095376Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:39.401{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644E3AB0DBF4D11FD61AE70239B002CA,SHA256=04CFAC6D097E9715EB3C3DC72C6C428A712E3BEEB9C8B312126B4A31C26DA7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:39.439{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F38A001813734C820FE974342C4BA03,SHA256=5E3923679685F25992C64BD57FA1B451D35BFB9CD721497573F12E5DD34873AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095377Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:40.423{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08FCDDA700546491689B889B948D728,SHA256=B3F9DD74ADEC5608508F05498F8434A067E33838367AC951AC86BF5DE5C08321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:40.470{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BAD16D15DB233101EE3796082966E2,SHA256=2D4004A6A8BAEF4E81D767B895057E7BA66E43AE810BB3E9B674709982BCC1A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:40.063{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:40.063{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:40.063{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000095378Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:41.438{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB72CFF526F745EA38D2C2A57E3C80E0,SHA256=7F8580025224334DA374B028FC21D4CDAF6091B5B0745F126D345F7033B44287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:41.485{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAC046B7526D9CDF9DD005A2DF17DD1,SHA256=BDDDFE56837A413B9E1BECED3F64486D6822B631306D37C10C6873465EC91102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095380Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:42.610{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C72AE7F7FCE0DDACA1547A17FC788A,SHA256=3AC48EB605A72770A5ADF76BB6EF9076C326C574FA7E1DF62F3D5EAC581ED9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:42.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DFF97C62725A6EC64F66AFF52176F5,SHA256=4F2E2BC52CAADBF5906DCB0F96D376993E1C76352514D344584DDE1A64B10137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095379Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:42.016{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095381Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:43.626{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACD9F27A1446F2328921FC504D6F5AC,SHA256=B05B3DF3311CC1BEE2CC6A366B6C17093E962798F5082C66D328ECBED1FBB7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:43.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673BC10E0D83972FE3D92AECD809DFA0,SHA256=BA79379622F4601E84CEA4C8777CEC13F9C7401649EC254F26E49721330568C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095384Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:42.206{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095383Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:44.641{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DFA316D5D193701A8050A324F114B7,SHA256=BFE31AC8E1EA3D6F1AA717E7F35C5E6A5FEDED01BDAAB4CC2BFF5AFE73D9F417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:44.563{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C454A9B7D080EC5E3ABBA90AA43951F9,SHA256=36711CFA9F5EAF5E7D4B5C5E25E2632B952802EE80CB556AB26D6B30D7295F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095382Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:41.956{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000113098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:41.707{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095385Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:45.673{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024D169BD5C52828017F27CAE2527278,SHA256=28E552A7B838AD412A020273BB9775D437CAE41C66AB2945B3ACEBDB6C1806D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:45.579{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDD08F95287D7167F36DC601AE6F7B8,SHA256=9010B16F73705B76C6B241CED6B3363019475F404A700565A3C42AFC5A8E4E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095386Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:46.688{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEE148686E7C58ED2FA9890C30AB777,SHA256=1DB4FDD45B0D4BB73D03593CA7A4635BA4B07D26D257A2A4E678C88462AA64BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:46.595{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF50AF5DF25804E87209B3CC461D65B,SHA256=DBE52406F5969011379AFCA5771584665A72C75E46BE2550D2CD624BDA5E5981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095387Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:47.720{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD1D3743497830970F6C281D55FC3E8,SHA256=0A95ECBAD0E32569DB48338195C9D5F28BD01D72D32D18B6C63EBCC572BBC843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:47.657{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3E3749A42CC84EE0922EEBE7B87623,SHA256=78238290306F87D9135EFDA0B371F2A4BB562FCB5014D4E143DFFACC3AC7ED76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095388Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:48.735{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE80AD3BFE4769C746D721610F8FBA2C,SHA256=6A22C8DB028E095A791CBF6BFBD07BB500BC2136976BC6B5D50F77ABC2909575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:48.673{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C07772D9D89C94E752FCB3B21C9F56F,SHA256=FFF79A030C673E5F94F220BA7223A121898E58D5AC76393630ABDADC81473EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095390Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:48.128{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095389Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:49.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA932F223BDD3662E0B63DA172F23BD,SHA256=87BBD3D40FFE20EB5A104B0AA930C1BDC2EF17D2E1576629199362EAF7B5CA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.720{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678FAABB7382EED60ED2A35162F5B0ED,SHA256=77463C85023A16213373DEE901037537A431787331748069E2F86D7425C3022D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:47.692{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1245-614B-7202-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1245-614B-7202-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.532{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1245-614B-7202-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:49.533{D0132419-1245-614B-7202-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095391Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:50.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD0FB34126362001C32CAD0F19935C8,SHA256=626D781958E192BA48853240D4B13D7060C8A10C432229C7093235D51C0CBCF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1246-614B-7402-00000000FC01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1246-614B-7402-00000000FC01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.985{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1246-614B-7402-00000000FC01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.987{D0132419-1246-614B-7402-00000000FC01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.751{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843C3C5AE740B8317733D0DBC73AA70F,SHA256=28FB82880EA7A0F652E6DB53E67516D1A5BC4169F9AEBECF6CAC5AA0083E349B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0B33595B75162EB4677D055502A00FC,SHA256=3809CF47CBBD20D08B0557046D0FC0DD949646D994EE5CE38EC6821F5A5CA184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA891EC8754FFF5C14706E3C8CC3BE07,SHA256=98E7044C19C01DA3F5A2BECA76C975AFAEA3C4B6D2533D7F235C883DC36BB881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1246-614B-7302-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1246-614B-7302-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.454{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1246-614B-7302-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.455{D0132419-1246-614B-7302-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095392Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:51.798{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3062C8A64D9CAA1FB05992CE10F06B4,SHA256=34DAF6D1B0024488EAB728E42741BC7B82DDEEC5528FE27C10720CE107EC0D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:51.985{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0B33595B75162EB4677D055502A00FC,SHA256=3809CF47CBBD20D08B0557046D0FC0DD949646D994EE5CE38EC6821F5A5CA184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:51.782{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C52BA2C5EA2D67B2BACEB1BAD97E81,SHA256=D7B6F10E9D9F49143AD6342BA3CD2E04A0A1A89A9ADBDF8A6BB4EA8590C9614C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:51.204{D0132419-1246-614B-7402-00000000FC01}52565316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:52.813{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E0660C98C7B2BA50EDF2D70087AF54,SHA256=1A9BE937C64EE5B7E3DFE5561D4AB35553280B3D6A2248C84761694CBF3BC47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095393Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:52.829{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2973FC382EAA65F7B70AB628484016,SHA256=9E2C4EC71ED6976BC04BAF4D65EF07E8B6C2AF9C5BD4DAF835DDDA891BEBDDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.488{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55901-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:50.488{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55901-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000113148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.813{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A45C49D1C2FBB273F2531C9461FA09,SHA256=2F8C6AEB63540669FF270B5CF694DF437FEF1E84CF1170819AB0159617819B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095394Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:53.829{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F04FD81768A52F8386649D66E060814,SHA256=8A4678701C4FF3CB07FC5FEE3AF8408E059E9CCE3B01D39E6F7B694146357871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.751{D0132419-1249-614B-7502-00000000FC01}53205288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1249-614B-7502-00000000FC01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1249-614B-7502-00000000FC01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.532{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1249-614B-7502-00000000FC01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.533{D0132419-1249-614B-7502-00000000FC01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095395Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:54.860{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A891DD90BC816B811325951E8DC30933,SHA256=1AD901FE53CF9A960586E330B94EDB2E3E7DCFB518EC0C25C870DF1DC5042538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:54.548{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE60C8B12E72849CB3D531E9583185AE,SHA256=E8CD279FB9F67884799B1F9B3E219C5F535AE2CF8FB6BF239AFEEE39C5C5C6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095397Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:55.860{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86311882D02AC9AEB632079214F9E715,SHA256=8D2922846A22370141E4881C5EAC28F1B42546C69E7CD3B320EE41D44F33086B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:55.016{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB76247F28510CE6D40E29B6D4BABD16,SHA256=8308CE879B2405D4C5079A32140911CC72A97A1D0E3EAB4678A6BC5E5FCE6E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095396Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:55.313{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=66674293126D51CC1041E24FC82DCF45,SHA256=DA9A117FBE28F0861BB0C26DB4646088EA7399DD743A1ACB8B3202E0215B71F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095399Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:56.860{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEBB1EA4BCAD94230449E51DC461B06,SHA256=3C0948121A6FC31A467EB7D3E0089627CA9DA8E978ADDFE04FB977815E494D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:53.707{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:56.032{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0240CD27FE5BACEE2EA34F486C3B8D25,SHA256=4B62F4BE8C2BC3B87C34C8969AB6CE704A4CD48CC3EB17B74CC01F76B35218D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095398Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:54.004{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095403Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:57.876{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3951FDC40CD5F8E379EAD303610E3687,SHA256=EBE7C0D345BC59AA70F858169E3953F6FF351855E9DAD114E81E9C3F759DC8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:55.474{D0132419-04D0-614B-0F00-00000000FC01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.122-65317-false10.0.1.14win-dc-639.attackrange.local3389ms-wbt-server 23542300x8000000000000000113153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:57.048{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AB64917C5407C20D6FC4DFB07E2E5D,SHA256=4D1B93C72F3DC67FFAE5CA6FE58E0B8A6667E7296CD7B0A30FB522D4B99150A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095402Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:57.485{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095401Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:57.485{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095400Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:57.485{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000095404Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:58.907{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E813A749C32A9A9965D23F73ABC8FE40,SHA256=0352A8F20E7331343BDD910A7676C96683878BA9CA49F8B86565D92E37C1AF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:58.079{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330E3CEEBF8B628E805073EE6931311D,SHA256=5B0BC79D14A2740F4D9053A2D85A4C6AA04F3BFACA7CD99D6FA198288B396423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095405Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:59.923{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6127179256C095D8C47639DB39C39871,SHA256=FD9D47691B4BC48D086F7CA556A792D1D6B5C1325412B3E140CC4CF44822CB30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:57.176{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49990- 354300x8000000000000000113157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:57.176{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49990-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 23542300x8000000000000000113156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:59.126{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF7500667DC9E81FC2054DA247FF24C,SHA256=2D836F62ED0496A52C797CBC59C46927EB7BF1A2AD7F8BB7DC384B8BB22D530C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095406Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:00.947{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFC3E1BC3AB755456B483435D6550F6,SHA256=773A98A2C4BBE696090F9C4FD0D361A58909EBDF4DEEA994504DD1F3664F2A94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:23:58.738{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:00.141{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48CD0055DA9B15379D87DAA51215A38,SHA256=FB58B008C6749E7DEBBF35D6D85EE558A55BE8875B2D25FE0FDD1F81DCCC70D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095408Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:01.947{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7033C97A659393527B298D9D11BE5DAE,SHA256=428E9E8E6912A5DB6ACFDA5E69B315E366D84ADE5BD71120D42D01ACF30AA7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:01.173{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CBA20C74330CBEB117762D42EE1AB3,SHA256=C5FB0A13B93D1D0DB3941E29D40CB0250D100F60AECAA3519157D31ACB3C700C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095407Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:23:59.097{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095409Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:02.979{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499209E7837C7F4CADCC12D2FD135CCF,SHA256=0E2AEF6412FDA8BD377329687A63BBC9422ABEAC4F29B445F174930658EF72AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:02.188{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67ED313B7D7A7B35E50A396255B83F2,SHA256=C72774D8B5CFD3F82DF1AC00592ECBAA811E5BE1CB746BB2DBEDFDAC4BC1DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095410Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:03.979{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29ECD0AA8A514D5B42151D81EE0490F,SHA256=578C968CDA6FF4895EE7263BEC297B2F5C79AB10FC7BCBEA3B949F3551EEEFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:03.220{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F669FA656B4F7F96AA21461E0E3B34C,SHA256=C5E26261F4FB8290FF8CDDA04C0FD9C45A91ACB628CCD1AEA5C7226FFC14D84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095411Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:04.979{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F673D982C3E18E7D040E43B46A6ACFA,SHA256=14B0A6C239ECD5F6E9EE1DD1AF089B5935DD7B15DF4C615D9E5600777154C06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:04.230{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23E088A23F941C43550572FD7EA202F,SHA256=FD006A808F56050F23DDD816E974A3D8C7E8117FB320A86F5CC846B0FF6CC632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:04.135{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-055MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095412Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:05.994{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC6AC1E7E19E94139A24D0C57CB064C,SHA256=2597545C21FAFD7B9B7FDC0A00E19922AC292C1084A9C0F1236F892476C7D659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:05.290{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE1A440EDA5CA0CBB2641C9517B1546,SHA256=09A0DDA1B642D5FD7DDBA68740CBEFA927C884786F3B5FF2956A90479A4E685A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:05.121{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.934{D0132419-1256-614B-7702-00000000FC01}55763740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1256-614B-7702-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1256-614B-7702-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.762{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1256-614B-7702-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.763{D0132419-1256-614B-7702-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.402{D0132419-1256-614B-7602-00000000FC01}47085168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.293{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0852919890DD4A8D70E825541AC7B86,SHA256=5999FDAF132A3E23CCFC298127E5A834846C0FDCBBCD0167169A4D45AB899487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095426Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:05.028{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000095425Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1256-614B-2602-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095424Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095423Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095422Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095421Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095420Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095419Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095418Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095417Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095416Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095415Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1256-614B-2602-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095414Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1256-614B-2602-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095413Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:06.026{601D2BAB-1256-614B-2602-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1256-614B-7602-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1256-614B-7602-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.199{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1256-614B-7602-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:06.200{D0132419-1256-614B-7602-00000000FC01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.418{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793E65830A597195F95521438683318B,SHA256=3A9943E2AC9DBB7FC785F52DBF4F6EE98CC97F1BE4930BC25CD1DD69526913D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.418{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF0F6A75109BDDD45A9CCBEB0B89D39C,SHA256=7B60D3864F2F6DAFD795187999D6CB0B1D1B467E073A3AED88ECEF528B90D65E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1257-614B-7802-00000000FC01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1257-614B-7802-00000000FC01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.387{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1257-614B-7802-00000000FC01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.388{D0132419-1257-614B-7802-00000000FC01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:07.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AD6800C9A562357750B8BF68477DBE,SHA256=111CDC448598706E0F998E433A39F43005D4A2B0EADBA59F6C1C7D4A854C103E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095456Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.932{601D2BAB-1257-614B-2802-00000000FD01}28601192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095455Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1257-614B-2802-00000000FD01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095454Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095453Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095452Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095451Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095450Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095449Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095448Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095447Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095446Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095445Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1257-614B-2802-00000000FD01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095444Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1257-614B-2802-00000000FD01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095443Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.807{601D2BAB-1257-614B-2802-00000000FD01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000095442Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1257-614B-2702-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095441Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095440Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095439Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095438Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095437Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095436Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095435Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095434Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095433Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095432Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1257-614B-2702-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095431Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.135{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1257-614B-2702-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095430Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.136{601D2BAB-1257-614B-2702-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095429Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.026{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824037795584DA7190D66AF5BCB20789,SHA256=B2980FBD64B612CF95EB8F06ACB69CC210B993DF104B06EF78A5D4D11565100F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095428Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.026{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485624C9247751EC6B594431931FB8D6,SHA256=0F30480FCD28A6F941DBC60A5F8248F9757A90C12F2D9BCFF50C4A0430ABBC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095427Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:07.026{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13BE8411CB6C6700D3FEA1D10A4E4386,SHA256=A7B36B2A7CAAC25F6DE908F48059E556BB9690D69909750B2689614A023B2C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:04.564{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095458Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:08.307{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128DCB7933328AB33602CC1F939763B7,SHA256=B12003D3ECCDA24D693969E5CC686492B82F0CB135D5292001E6FB7E3DA11261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095457Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:08.307{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485624C9247751EC6B594431931FB8D6,SHA256=0F30480FCD28A6F941DBC60A5F8248F9757A90C12F2D9BCFF50C4A0430ABBC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:08.387{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8D541AE77D3B7E4E27AD7850A388E2,SHA256=7BBDDE94EACE4445FA3FDF5D61009C99C6ECF4CD55032838C2FCD7B5E01BD492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:09.480{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C3BE89ABFD5543035231D3AD2A3A3C,SHA256=5B6ED425602D76EC4C2EFD98231F4D229277FA0438AA8DF9A9EA6F267F677815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095473Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.885{601D2BAB-1259-614B-2902-00000000FD01}12282748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095472Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1259-614B-2902-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095471Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095470Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095469Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095468Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095467Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095466Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095465Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095464Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095463Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095462Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1259-614B-2902-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095461Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.760{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1259-614B-2902-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095460Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.761{601D2BAB-1259-614B-2902-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095459Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:09.541{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B88DB0E668667B4BA5FD207757F70EB,SHA256=D3C02E45353C9B20C95CB7F5EDDCD87AF92657475161DCB6E649156E43C2E6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:10.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D77E48206A8334F20556EF764E4F6B,SHA256=15FD78AFCE6C2D25526D2B865FA5655DC2298614F9A169C371F495CDA082E43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095489Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.791{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFE12F8B41FDC974ED2320AE41E253A4,SHA256=D9ED38418A8DC79B6FD58D875B2014866C5D8A81A9890AFB226FC65AF0B15B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095488Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.619{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B17B83633BD748DD9EDE444C50744D9,SHA256=CB765270ED61D3D458D53FA03769AECB45857FF2BD6F0B81A920CEE0D58493BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095487Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.557{601D2BAB-125A-614B-2A02-00000000FD01}14003244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095486Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-125A-614B-2A02-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095485Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095484Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095483Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095482Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095481Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095480Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095479Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095478Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095477Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-125A-614B-2A02-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095476Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095475Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-125A-614B-2A02-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095474Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.432{601D2BAB-125A-614B-2A02-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095504Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.651{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B946C5C6A635BEC723B8B61B9BEE426,SHA256=D76749E9FD22D5FAEE782357CC74AEC128A2C17022099ED48091CE75BEC10C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:11.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDE5CA369C10962D5C24BD464217D43,SHA256=21B23560140DEFF9572FDF8914451E55B6F4593B1D01C566C353FAF2A01D93D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095503Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.245{601D2BAB-125B-614B-2B02-00000000FD01}3220640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095502Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-125B-614B-2B02-00000000FD01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095501Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095500Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095499Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095498Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095497Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095496Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095495Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095494Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095493Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095492Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-125B-614B-2B02-00000000FD01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095491Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-125B-614B-2B02-00000000FD01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095490Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:11.104{601D2BAB-125B-614B-2B02-00000000FD01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095507Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:12.666{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECB38AF8BE6C35602CF274924EC9900,SHA256=7F6114D6DBF07037FF3691A52DED430A0E4A9CF8F493EA20F4D8A7AADCBC8D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:12.512{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD997AE87C1DB95940C5FFC15A809C32,SHA256=DD40410B350D2A590572667D4C2B9ABC98C827B46E69B60FAC0CE01BEA1589AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095506Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:10.169{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095505Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:12.104{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EA81C16E5E13BC26E23EBB13A3FE1C9,SHA256=CE7ED1F4347211B15050520A78014EA6CD2E98D27EB5D42CACFF359B5BCA317C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:09.625{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095521Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.682{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B42A4AABAF79385E1A38663CB0FF99A,SHA256=FB5B9216FC6FA320105E9B10E19FCFBD0AD3596889FAF6828C80D85E998E992C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:13.559{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1937B462260E1871E836255BCBD18F8B,SHA256=6E1CFD071EBB98EFA4696F655B60AFB3B5A4BBD9A7FF9C4DF213EC2CC562BAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095520Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-125D-614B-2C02-00000000FD01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095519Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095518Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095517Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095516Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095515Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095514Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095513Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095512Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095511Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095510Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-125D-614B-2C02-00000000FD01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095509Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.010{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-125D-614B-2C02-00000000FD01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095508Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:13.011{601D2BAB-125D-614B-2C02-00000000FD01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095523Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:14.713{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0B82C7916D028115023D36AB4EC995,SHA256=9C1A02078F6A898205E2D23F8526A84FC0B0106DC97198A5DF93BC3B45DDD9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:14.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11409AA68D09C70C6C025B5DE29BC7DE,SHA256=5276E4B42BD2C49044BB557F43F5A797E5463E3B94F0D7EB1AE36FAB6593AD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095522Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:14.166{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95035E8DA56DAA2110C21CDA770DA7A,SHA256=EA835881A6F0D96008CC37CA4ECA94D481362ABA426CA2FD483491871A558D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095524Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:15.713{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1729E74B3187AAE31DE9B686AA153A5E,SHA256=6FBF37E54F4452861F2E8483BFDA151B8496F2021EF2E7DC58337F7C1D092F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:15.590{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E5A228EB36004847A841B26C37F40F,SHA256=B5693BC0D6DF2E2E8759C4280604DBB182DA0E09CC70CC206D8D69F78539EE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095525Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:16.713{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F60D4D2508D9F19D6A0D175ACB2E9C,SHA256=B9DDAF84833ED9097D726B73092185961E436A059040D7FCCABA130245AAC114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:16.605{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B94298EAD55D268E38531180A76DF1,SHA256=30D9124390186E3F80E0E99424340917C460544E7B06155B1D33D72A55CF4C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095526Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:17.713{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FEDFE72175D8561F26AFAA7421F4C8,SHA256=1899405C1AC27332D641D14C802062306267A2D736B5DC1A7632B1C625E774E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:17.621{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF6121B7EC7BF93C5FEC2267528A44A,SHA256=DBA8B6851E2ECDEA0A5D83B0F538B1846EC0A179E447F2B8998C5947D9EFC847,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:15.608{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095527Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:18.713{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C8B2A921AC52ABD89AE975FFF2FFE9,SHA256=2426E3673CACE4489530B92ED6EB857904759D9822A9FB1CFA93E6CAB8861C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:18.637{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF9D664CD6894DAE527EA3BEDEEBF08,SHA256=254B27D1C1031AEE022E5CC98C4CA7FF972AB9F6E83AC57A7429A230C7789A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095529Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:19.744{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F6042D52667B037D5EB98D9FB7766E,SHA256=5719B966D60E6F6D8DAA7839FC0267312397B19F902DF8DF8B36A618D76B9D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:19.652{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC99D4EA3C0718D670AD31CFCEA32956,SHA256=A4D95E1D86787739CBEFCF62B2D0F1F43C642699D7EDCE067BAEE1C55F36AD98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095528Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:16.153{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:20.684{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E081E7FC0F90B7AF5660FDAC0007E8,SHA256=D30C1672BCD183CB6E6AB7D986B0B2E6A0DAB1299A8DDF54AE69C2B7F4B68078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095530Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:20.747{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854B15D07A536D30CE4310C7E8935AA7,SHA256=26E6CC22B42B52CB594F6EDD1875233D6DBE9BFFD0FAEF18F906028E9C7F802E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:21.699{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0480721076DF59A11A1509EFC63EC5,SHA256=4FE57F40D2E826D781AD4CCD37DD7C251386BDFC67B751633916FF1362A2CE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095532Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:21.797{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D95B447F3FFD487EC01585F6DE2AD41,SHA256=B7D0519E985F0571737454D854FC6767CFA83E0DCD9C8C1B87E6BCD7D74D3169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095531Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:21.625{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-055MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:22.746{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923604810BBB9105A3FA576134FD4318,SHA256=EB9929FEF8FA9F1FE73D161F72636E15C18E77EFCCE4A9CE3DE5F79BA54333FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095534Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:22.810{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFABC0D8DFF9A14FE4DACBA32A50676,SHA256=354A1B5C8ED04FC9D5079C7A10438E21B12CD66259AC486156E95B4BC935AE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095533Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:22.625{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:23.762{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CA2D54304EDD9BB2A8C48309B0F017,SHA256=56945087E0C5178FCB049EC8A1AF01EAB98B375687A8BCA7CEE0333745D3019F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095536Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:23.811{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DE24FF93AA4EF2885B52427738D12E,SHA256=B495AA1C822AF06C1D1C870A4C12842B41AE770845E8C7096BC191B6464E35F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095535Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:21.157{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:24.777{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450BE07DD02E81131C19E1B940557C89,SHA256=C687E821B76890371A9601D77449C06339DAB5B0C751843EF1E412DB62D24D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095537Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:24.811{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFD43F0295CEABC6BE56C39D7319075,SHA256=71513A47B8603424C129D80AB0795510DF9D06AB0F2B8AF962C0DC47D1256357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:21.624{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:25.793{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD18B8623E9E32E1FBB9EFD66947D3A,SHA256=6D6349A111EC3E96F03F2FCA3561EADE24CCFB8540DB9EACD7C3CD747AFDAF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095538Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:25.842{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566879A027AD716994E6757270DDF160,SHA256=61171FFE3122F830D6E8107B45B46A539F3DD49DB576FF9C80ABFE6B5A2A2325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:25.090{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EEDD509DE8884870D0CD9A04DD7EA315,SHA256=AB8AEFD847FAF7601873FE1F6C15EC663E8F32C66B49B1B7CC0B7C80DE98E5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:26.824{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF88D1B10B70B0BDE2CE4F679F44B51F,SHA256=43CE9F65AB7FA05A328A9AF238D446E653AE2F6B936807DA5CC561F67CA357CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095539Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:26.874{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A2FB30E9DC708549408F4B2BC5E7A6,SHA256=5D3117583D9416811CD1C35C6DF154449CBACAACD5CB3922D7A17B36E14040BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:27.824{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C521DF1F99CE0FF9D4C4A8302A144BB,SHA256=AEDF1B577F656A653C47C1498594A44167CC553C4647BDDBDB6B137A4E6B98A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095540Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:27.905{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616D6782B98D3A1575BC23E270DA0E9C,SHA256=409E9CB4541F589CDE7E83D4894571C989153C010DA74400EB4AAD8A72FC4817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095542Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:28.905{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7562CAC59FF0D700BA7B489FC4E092D3,SHA256=9B02838342EEB6F7B006E015FB716C0F16C7E32C6FFDC2C3EAD609F674CD3DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:28.840{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D85DD203B3E1EDFD0383334083C0C2,SHA256=6B04F65178BE6643AABC534331339C6089945341FFCA9D4521F5CABDAB3C9F90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095541Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:26.158{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:29.855{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C6481109EF0766920E963644A1BA35,SHA256=DAE720B39B25F29EAA403880E6E54C051094A73D1E5FD5EF5B7CFDAA58BAED33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:27.546{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:30.871{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E8CCF6691CB26C97F8F57AC4D5ECEB,SHA256=38642A7A6EBCFE01C82F995B359B8EC89BF20CB9DBB6929AECEC293DAAB4D945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095543Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:30.014{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B87A801F5840FF1E7258FC8B985EDF,SHA256=DB8451DBE01B6BDD49399EB0AF44D56BCA9A0C3CEDFF2D364ABBB16CCA155017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:31.887{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CCE3D69BE087F1F73C13510DCB6E11,SHA256=6B402DEE5D05AA745460CAA8FAAA7D70E03FD0DD70F53C3E8CB73EE74C26B0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095544Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:31.077{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC6EA39483D3CCD525645968579F6C4,SHA256=F6E8D4F2CA129C1080902B8239A38977DA712CE6DBEA5794363EA9DBD49392C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:32.902{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9F21CA16E604F6D4C01B5756216F47,SHA256=B65632B7EBE4E7777E10456A4E62B929EA57314404589F973DEB76F2045962A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095545Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:32.077{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D04170A2779230373953EA1563FD93A,SHA256=C74E4E85D88C71AD612D8D37EE8D4256B7C6FA501C691CFD35022B3F8A39DDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:33.918{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406712ABA2BF30513B7DB3022C2DA0F6,SHA256=F3BBDACD32066DB8859A41F1C8351FC11B04B3BEAB19BABB775EE2F4F3DCAB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095547Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:31.173{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095546Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:33.077{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20A646A2DF7F68A0BEC639F7C335782,SHA256=1225AA853A612BDA661BED37D2BDF41884FBA494A0E48F01FAF54BABAC23C359,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:32.686{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095548Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:34.108{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B054BC3FF477D736D299C48C15287848,SHA256=61EF050DA3AD184D8DC3C00D6EB3365CD19BCFA8D871F463EC323D5F2FFA4EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:35.012{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B755E0657BA56B32BE99686F63E0B3E,SHA256=C35E350CD192BF5B52BED64501FE9D43DD0F83944BAA4688056DD368B8814A3B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000095550Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:35.327{601D2BAB-04EE-614B-1500-00000000FD01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa4-0x6c111648) 23542300x800000000000000095549Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:35.139{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06800ED738D0FF6739AF3FB30B747CAF,SHA256=69D045D81F6A2DF96008168A7D36B87A423C2AE910237B4602E428AB63FDA89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:36.059{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C39E716D13650A5CEB8B4F6A7CDFDA,SHA256=B2076756270B59A469C8FE73EA98F7F0E12CBE5200CE78A33A787BDCE3DA338E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095551Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:36.140{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4D60415FA3E8A231F4DA4F22CF30C8,SHA256=BDA5C63CC940E850BEF36767FFEBA7E3E068C012183CE0346C6AF7188AC163B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:37.059{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB670D90AFED65B66EE3B68AA0A6ED34,SHA256=3C0A1E6CE5F56F84FD4513749D4D18E31F98AFD8E305C713B9B68C0EC1E32A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095552Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:37.140{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5192864A04E419C376B80DC95DB67A3,SHA256=4D358985531FCB6F4A1C40A8D2003F1D5CD800DD73890D20CBE1F32E2018AF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:37.043{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095554Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:37.095{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095553Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:38.172{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08C45DA89088274934869F3D8B35871,SHA256=C1BA18BE747BAAFD832A37324EF8BE47D1C8CA67A33D7B8915B0D3FC39A0EDF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:36.515{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000113235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:38.074{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB5D8B07886E5195AC3B8D2761E742D,SHA256=BD7737E6A0559FCC7DBF4FD538FBB52DA9DB505E43C72EEE49B164FE4C060ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:39.105{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC022379759AF1B38BE774CD9E1E19B,SHA256=84E327FA3D96CE7F7D31886C848682ADB0606357B099B58955A32E345CCFE55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095555Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:39.203{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD4876D38FD8DB43AE1B499D61A3601,SHA256=38095D77C67FB94C45CB17FB4A804E4208A26FD5431346D926587A0C0EC2CE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:40.121{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8EEF066FBAD705386B0F0CD3DFDBBC,SHA256=DC8E1B39A25D8550D00ABF4B34D391D833AC8AE0DF30079DFE59CD67CDDAF073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095556Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:40.203{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06EAE2C619A1A6AB1F0B18F3DC21E17,SHA256=A5C92805AA283E6A4FE09C50B8E3220E9E4201C1BF9390E2E2381258C81DBFBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:37.733{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:41.152{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42738064D89EF19383B30FCC48752AA7,SHA256=11CA55118AC4D98F82B2CF5A81BA9C0C82F05A65E105082DE4D9A341DFEAB8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095557Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:41.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C14011852541F9CD409DB527E8AA563,SHA256=D97AD8002627B4670C1BDE255994168EBEA51363C85FDF23BF888DFC54274AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:42.199{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D435578F732FE3823B3453EB5035B5,SHA256=E7A82B0C33560B5D44A8F7B484D2A805B114AAEA7358B0E7CE80ED352393122E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095559Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:42.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8618D020DDCF3F62D8D5BBE7D4D7A926,SHA256=7F01245A3535F207D7397016008A7BE909F1F78C0DB239E665358BB098B91133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095558Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:42.047{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:43.246{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F94BD7D8EE6A64A5D3D5AD5A3D327D9,SHA256=C23E3D270BC335D2B221837DCFD3C02A7F8821437AA5AA0E292504AC690E4E58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095561Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:41.986{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000095560Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:43.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E2EE122BC2DAF76B15609A76F310A3,SHA256=29692E7832118C05C55C1A17DECF85BCA062F6E5A93A4396DE6D18EBD6118C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:44.262{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7FF72DBD0BF8BC52A939065560EBE9,SHA256=42E6DC96C3FB1F3B14A2BE90ACF22B67CA586CD8DC3E1C52D2BB0314D2450558,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095563Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:42.111{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095562Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:44.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6669EF0D1DB0EED580C480985534FACE,SHA256=6C3C2091046392165EDAEEAA540B2B76E27A8B521796537376A3032EF370B03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:45.277{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3739CDDD619E7930AB9EB14EBF90C4F,SHA256=D25C0B3A522F3991E1A3AFC81463522DDECADB194A76503334F58BF26509FB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095564Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:45.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D035B2BE1EF52E4F7749FACF78A205E,SHA256=4F70921B02EE5A67FA1EEFB5A94D0921067594C1C96717F0B7DEA866081C62E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:46.293{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C3184A02146C8892B8A5690AC29A47,SHA256=DCB85CAD5D9668964860DB457667425F3BBEF5CE4F24D2A1F62B3C50269D5AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095565Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:46.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CAFB8B8C493FCD97247AFB7461BD87,SHA256=01194674F9A618DC9BEEDA894F5F52AA951FAB1A1D6014B04C037109B5C4E5F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:43.624{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:47.340{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D4B27CF6FA5D08720F7D4D9E1FD1C1,SHA256=C6B2EA5EC1B5363C952BD508943636166428F4D143C33F79D65CC0702BDD6ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095566Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:47.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21235FF313E629B0B7DF1D9D755691F,SHA256=F035C5BD02C60CCB6BE5E264D44F8E77C566C1CF9DA34AB3C4671B622088875B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:48.355{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1111228FD78CC99BC11B616EC545F40,SHA256=589FE48D30C7C4AA3BC8EF1934CB303F7E15192B941D23676BA510B2BA062D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095567Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:48.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49AE3D5979ABB192E97B0B7032C8084,SHA256=9F975D5D9E23E7B69355286E9A88A5A807B38288DF2CF9C2DAA5457D7BF6DDC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1281-614B-7902-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1281-614B-7902-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1281-614B-7902-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.559{D0132419-1281-614B-7902-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:49.371{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B14359DC3280D264200ECAFF2102819,SHA256=B975981573B0E625E25B41D6C6A6795A4A7CA1FA7DEEAF9FB3A6CA018BCA1BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095569Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:49.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F93AA1770275FD48C25350008082CAC,SHA256=67F4B643477E9F19C0173D7D5B56555D312C47D6F09499662D241346BF7CF5BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095568Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:47.189{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.777{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEBCD7317653A5EDBAFEF593F996BC1,SHA256=8AF9BCABE57C89BAA09DCA5F216BD01AF178952AC2DFE23096CC79B08CCA6854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.777{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793E65830A597195F95521438683318B,SHA256=3A9943E2AC9DBB7FC785F52DBF4F6EE98CC97F1BE4930BC25CD1DD69526913D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.605{D0132419-1282-614B-7A02-00000000FC01}60204516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1282-614B-7A02-00000000FC01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1282-614B-7A02-00000000FC01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1282-614B-7A02-00000000FC01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.465{D0132419-1282-614B-7A02-00000000FC01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.387{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5575026F470CDA6EFBBA525E19E83BDF,SHA256=5DB83A0A5D2A3F73B27B2F103BF9C8576BBA4A4DC28164DA592739FDC35ED942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095570Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:50.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B6E7B196E687EEEBB0DFBD1DD5C99E,SHA256=ED7ACFD0D6486E648A8F7285B610A1EB29AD5D477041A5BC376A324408A76B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.418{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A13192B9378BED4748C92922224DCCA,SHA256=C878AFFF7AE55081C316905B100F915BA04C4DA91E575AE8ABC06327E3691A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095571Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:51.312{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D95F42EEC947D81EB9195F261814B7,SHA256=0E1D3FA8B66C6CC51E77997F718498F32646D0FA59CD65089A2BAD67431D0E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:48.656{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1283-614B-7B02-00000000FC01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1283-614B-7B02-00000000FC01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1283-614B-7B02-00000000FC01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:51.137{D0132419-1283-614B-7B02-00000000FC01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:52.433{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D43973AE2009ADB117BD6E384E8A58,SHA256=819407B909AB5CD741C261B16AEBFEB1C125126BF4C04DE32495FC07B6B3B8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095572Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:52.328{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47509376F11B383216C7CE11FBB37A63,SHA256=4184AEA9E9E111492F69AE6FA463E237935A12188D6E9107EFE1C852751DE921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.499{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55914-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:50.499{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55914-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000113280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:52.152{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEBCD7317653A5EDBAFEF593F996BC1,SHA256=8AF9BCABE57C89BAA09DCA5F216BD01AF178952AC2DFE23096CC79B08CCA6854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.730{D0132419-1285-614B-7C02-00000000FC01}57685396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1285-614B-7C02-00000000FC01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1285-614B-7C02-00000000FC01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.543{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1285-614B-7C02-00000000FC01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.544{D0132419-1285-614B-7C02-00000000FC01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:53.449{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7140D043C740E59FD9A17F92DC209D2F,SHA256=DE4EDCCD1F124F1015F6F46B116B525D0A631AC051BE035AE41BD9463AA4D73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095573Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:53.328{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF99C21FCF4FA60E000069607F2E10F,SHA256=E85FE78F31B2F0D313E6663E805713701708A07B90763D516296B134BF1BD04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:54.543{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EFDC2514E6C1290968CADBCE43E077,SHA256=9B2670AB98660697F7A3D2769A11A860BE280A5FAB7F4C092994E151E648CB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:54.465{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68D2DE51EA82064373D4F21F126B7C5,SHA256=803F0DE9EBE7629D3FB21CDD234F96C6D8A01C906D9F1D38E544E5634E881F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095574Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:54.328{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79558F21A6C7200C4C3489228FA725AA,SHA256=A1E76AA7E4BD25DB3DB027170FCE1D1CF3E7276DF27CD0AB1AF41D6FC519DCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:55.496{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629E741CFFC73E3A21420D102DD04B57,SHA256=3214DD79243698A2E1BCA87F2DCB492E5C93E2F38374E9D34BFF66E5CAB145D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095577Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:55.344{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0298B3DDA26F2E95C6B9D5CF25E10443,SHA256=9735DD0F71B654944F84915E60B41A8F5E2FF3F922C4EA3049B19098993BA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095576Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:55.328{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=386EC2A486D6BA85E79900D76A860519,SHA256=BDC5EB180CD9E909D08A6092AE401B5C16EE6985FE4CB8CE37B6C79911F53B3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095575Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:53.111{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:56.543{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0376DDE4F0FD047BA66BDA4A3209323,SHA256=49B253D45D5DB4CE0165E36FB2ED6DCA65C2FC10FCD1D649EF908DED248183AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095588Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:56.359{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37267A1DE044B220B2428AC71877A4F9,SHA256=E04C6705706C56F960C9979560BE8BED40CA103D87CF5ED3AE0022F73204ECDE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000095587Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000095586Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035bcb6) 13241300x800000000000000095585Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0x162ee6bd) 13241300x800000000000000095584Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa4-0x77f34ebd) 13241300x800000000000000095583Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0xd9b7b6bd) 13241300x800000000000000095582Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000095581Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035bcb6) 13241300x800000000000000095580Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0x162ee6bd) 13241300x800000000000000095579Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa4-0x77f34ebd) 13241300x800000000000000095578Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:24:56.047{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0xd9b7b6bd) 23542300x8000000000000000113299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:57.574{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9116AF10F68779B9FCD7560CBBECFAA,SHA256=2DE277F42C673B09D810EAB660F19A17A7971C9B897DA7E19E686824E0CFDBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095589Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:57.375{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64F9CAE02C126239B7619CF278EDED1,SHA256=49E25CE698F496BD80286D6A3127E902027732A83F5B231B1B2A14D6701DA3CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:54.592{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:58.590{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B60B0790A8C7A1D603D6AD134FCA1BC,SHA256=19E6F36BEAB072BAEF58BB69926619075833999EFC37825D016C4F1594FEAAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095590Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:58.375{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6F5B80DA0352CF9E0A9D00DE3056B1,SHA256=D90D7F086C34509E2798EA68DBE08516F2EE07045BF75092430648FE7BAB59D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:24:59.605{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7573FC09DA3294AD06D15C9BE1194CFE,SHA256=0A07B3CFEC617B4A31C6A1FAECA4BFBF8BA12A7774D02664A2F5AFD13C483393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095591Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:59.391{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410CCD34FF1F816EA5A9A6D0982F8B0D,SHA256=6270EFE5753A25FC35A092BE6C786447E74ADA737A2C85F559BD81E411D5BC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:00.637{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E55FCDCF645F7CDCB7CB7780332FA7,SHA256=08BBEF2B05877558A3731A492DBA1C7F956EA69ED850A353FB07B00E7A083AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095592Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:00.398{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A310BC2467E234E3F64832285E0744D9,SHA256=C8579F911CB49AD7D4C2F89B338E8276461B9B43C83D8C7FEEC5BF5A564B29ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:01.652{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2EA3CB81A02F14AC97DD04AB312516,SHA256=3FB7896A37B14B7359C86AD32A907522925DB7533D140C0F0960E3B2C4DCCE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095594Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:01.413{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61486B91C77D231C1424C78FFA44D47,SHA256=B08F92044F52700134B835031B7A11E374A6D2BFADA626AD3BA56B2BB88E8447,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095593Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:24:59.080{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000113305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:00.545{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:02.683{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26471ADD9B6CB98692455401B70F0BBF,SHA256=2CCEF2BFAE888D5FD15D37B5DC34C6483D224EAF09B350EFC22D55CD838B2FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095595Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:02.413{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E72880225D806910C25EC59407E5D8,SHA256=ABBB82FCA4B60F9B8FA164612AFFC1FE0963CB4C7DB451F29DB5C867A17E8F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:03.699{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402922F9EA2D86CF4B8DDA7DB10BA9DC,SHA256=AA6B456000AA34951244DA882E52DB5B6F5B62899F7C2F6744AE51FB5AF68267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095596Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:03.413{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9471DA4EE24CD2E209141264B66B1B68,SHA256=CAFE54D9F86082A9EAC515761F1223E3276D4FFC5B16119AFD1A6821DE6B3366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:04.715{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CFA9ECCAA99791617AA81F7D7064ED,SHA256=464323268F115F54DCD425EBDBCF2FE5E4EC95C9E4F8D1A41A937136E056AA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095597Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:04.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8A8E9C6ED5497B32140F13CE0C4561,SHA256=FF3C3AAC43422CDFEBA3A1D95A3CD945827D2AF8ECAC0BFAA796DD3E6E5742E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:05.717{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8293EA23D93E7C1D7108D7482012A0,SHA256=4DE00C08C72E63F3F9AAB63E4E81B76A7F42DA20FD3F6541AC4726DCC8B5CC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095598Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:05.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A613C1FE86787DC4B3CA6A7012DBE3B5,SHA256=4F11B994088624E6C6DC755C634B5040BA461CB05FD34F6DF736B41A10B7B01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:05.641{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-056MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.918{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1292-614B-7E02-00000000FC01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1292-614B-7E02-00000000FC01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.887{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1292-614B-7E02-00000000FC01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.888{D0132419-1292-614B-7E02-00000000FC01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.747{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0C59E66BED47FC2510BAF607D90EB7,SHA256=D97A86F4BF46FDC2A7B7E1A311DECE774E358C2C3600CB8DD178653352A8CCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095613Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681C2D584C761D2326FC0DC44D5E7568,SHA256=3880488A9F8EE06E2573B7BA0ACF904C5E8310E6ED6BC8ED38A8871F98234FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.640{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.420{D0132419-1292-614B-7D02-00000000FC01}16925776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1292-614B-7D02-00000000FC01}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1292-614B-7D02-00000000FC01}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1292-614B-7D02-00000000FC01}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.217{D0132419-1292-614B-7D02-00000000FC01}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000095612Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:05.088{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000095611Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1292-614B-2D02-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095610Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095609Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095608Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095607Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095606Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095605Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095604Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095603Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095602Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095601Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1292-614B-2D02-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095600Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1292-614B-2D02-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095599Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:06.023{601D2BAB-1292-614B-2D02-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.767{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DB4DC2367F6AD3DD81899F95384FE7,SHA256=EB58CC7249B11DD6B64FF82C2877E2A66BB2DBFCAF68173D3E062A58BA7722F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095643Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1293-614B-2F02-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095642Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095641Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095640Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095639Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095638Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095637Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095636Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095635Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095634Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095633Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1293-614B-2F02-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095632Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1293-614B-2F02-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095631Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.804{601D2BAB-1293-614B-2F02-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095630Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335929E56911076DE1438FB1D1CF3417,SHA256=D983D27491C00123F06A6BE1761793B90EA06C69DD4B1C50A77814C923B86E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.533{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4E23C9A1D3AA11B200518F8C5C099B,SHA256=9EC84B2B181055E4F414F47BB1080F664AF17A094A6BC0456C5E859E0FD173FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1293-614B-7F02-00000000FC01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1293-614B-7F02-00000000FC01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.377{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1293-614B-7F02-00000000FC01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.378{D0132419-1293-614B-7F02-00000000FC01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A563F7BDE9CE78327FBB757DA1F47F31,SHA256=A92810B60C5CA04F19F42DB5A081B5C3E75F10B73C2490AF227A2FB07CD7F7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B030DF9F3DD7786086D8EFEC544C31A7,SHA256=A0432A90F79112CE69E6C44ACD66BE7A66B9E5D303B44E02035167132C56EA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:07.137{D0132419-1292-614B-7E02-00000000FC01}59922712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095629Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.257{601D2BAB-1293-614B-2E02-00000000FD01}23242884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095628Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1293-614B-2E02-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095627Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095626Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095625Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095624Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095623Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095622Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095621Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095620Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095619Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095618Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1293-614B-2E02-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095617Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.132{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1293-614B-2E02-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095616Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.133{601D2BAB-1293-614B-2E02-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095615Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FC316AA2D791E32FF889ADAAA1544F,SHA256=82B5B346F2CABE94FB12F4B313A4AB28835C1941A59794C8C09F3FF870846CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095614Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:07.101{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A1C79612F6CD2A43B1B83785BB8576,SHA256=A114D0ACA8D8C7FD2009AE3394A61CC0ECF698AC948D03A5384C14EA2D0C1624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:08.783{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFFCA3317365CB18E7940CBAB306F76,SHA256=F8468AB22FAF304D9382CE31B593A8EBE986D9579D10C797B29B028582AC93B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:06.561{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095645Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:08.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F73C2B52A7290A1CBBC8C698FD9B76,SHA256=3D87344A81877811DC0286161CAE5E7D8877B3E6EA02295A63733D0F438C7CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:08.392{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A563F7BDE9CE78327FBB757DA1F47F31,SHA256=A92810B60C5CA04F19F42DB5A081B5C3E75F10B73C2490AF227A2FB07CD7F7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095644Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:08.335{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FC316AA2D791E32FF889ADAAA1544F,SHA256=82B5B346F2CABE94FB12F4B313A4AB28835C1941A59794C8C09F3FF870846CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:09.799{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59292F33CE814CCC4AE2EF61D1C5191B,SHA256=2D7975D4F8B0177401F32040DBCB4FFB86FC744554914185E3689E3EF8A6DFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095660Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.866{601D2BAB-1295-614B-3002-00000000FD01}3283680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095659Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1295-614B-3002-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095658Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095657Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095656Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095655Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095654Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095653Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095652Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095651Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095650Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095649Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1295-614B-3002-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095648Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.741{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1295-614B-3002-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095647Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.742{601D2BAB-1295-614B-3002-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095646Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:09.429{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD5C67C5F32969E9302E91178F5DBB,SHA256=482630F3670D281A33D3399AB883F273CAC6CE055E7054335875B0B9E91B822A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:10.814{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79631F964B4B3B62A59951544B4FAB0D,SHA256=02A515B09E9E4D4DE29A122FA586385372FC43C310519D300E0D5B54DB83EEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095676Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.882{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F588E7FA3C45FCADFB60E70960AA00,SHA256=54240DF8669290E0E152EA1C149BB5CC10B11DF48C59DFEB0F8D3847A1F904BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095675Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.882{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=479C6C32045D735BB8D4002EAB8A8144,SHA256=CE764902A1D7C612B67A396DB76BE6A8C839EA478BB0B9AB9962932793769499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095674Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.538{601D2BAB-1296-614B-3102-00000000FD01}15203464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095673Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1296-614B-3102-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095672Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095671Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095670Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095669Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095668Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095667Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095666Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095665Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095664Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095663Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1296-614B-3102-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095662Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.413{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1296-614B-3102-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095661Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.414{601D2BAB-1296-614B-3102-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:11.830{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A8B4AE1AC82550E3CC62DD3BE8144D,SHA256=8B89DF7A6E2294FCE890AEE1070E9797A0DFC8022719136A5B69BC1A300CAD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095692Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.570{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6AF258B38C6BFDFFF53DDEA32E8F2F,SHA256=C12BD6D27B1AA5B8D414194B7109BECAE4EBBA1F1469C6DD4342CED4301700E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095691Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:10.181{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000095690Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.226{601D2BAB-1297-614B-3202-00000000FD01}21844060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095689Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1297-614B-3202-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095688Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095687Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095686Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095685Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095684Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095683Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095682Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095681Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095680Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095679Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1297-614B-3202-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095678Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.085{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1297-614B-3202-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095677Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:11.086{601D2BAB-1297-614B-3202-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:12.846{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96DC588A96F83A98730889D0825225B,SHA256=3F0ED1DD89F7614170E9852B94E2E6B5689F610272FB2C02652EB5E4AED6011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095694Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:12.585{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8D2E750BC322CA6BDB0DE481178833,SHA256=B89FB7D8D29C946DAE942169F482D8D82263D120C1DCCF05AF4EA061DECD13AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095693Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:12.132{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5CD019356D0D45B30527F8CB6B762E9,SHA256=E6E5D5DC48CE13CD166F81B4791B8E078B8C94AEE7D7230ABB263406B3A49399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:13.861{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C270EA3D6B7CC89504885AE0D60B16,SHA256=8141E58DAB5B31B379206849861A1FAE5FE19595F34756E12261C65BE821CA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095708Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.601{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7B93F8BC11FC0C846E5CF12A09C08F,SHA256=8A7252D98DCE1A625681F14F133F4EC28C1DB8D14B3AF22C9B8380F09054CB1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095707Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1299-614B-3302-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095706Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095705Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095704Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095703Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095702Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095701Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095700Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095699Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095698Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095697Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1299-614B-3302-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095696Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.007{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1299-614B-3302-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095695Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:13.008{601D2BAB-1299-614B-3302-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:14.877{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F83B531E58433F2AB4897C2FE62E3B7,SHA256=4390396E65120E91F070022481B89D1A3733A65A8F8533895572222C20A0E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095710Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:14.632{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FFA38E6B94E546A54D66F4D36CCA74,SHA256=7ECB5AAD123E8F87F3BDD9259A0ACC13FE32574BBDB0277ADECE70C5114B3C53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:11.567{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095709Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:14.241{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8A6098FDB0623F340E63DE9F51D2D2,SHA256=1747858FFA2A2DFA3DF77A807D4C6844D0326FB2DA83718BF4478DFE55CE20E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:15.924{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07413EE5B59AF3D8A96FD7FEF7BB137,SHA256=5C5431834FC52EB5E47BFCD228D9D0A965E435EA0A446601BFA435C0D366043D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095711Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:15.663{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E97938D906D71017651BB284F68ACC,SHA256=25D91B436B0D741AC2599FFAE1BEFADEA2B0A47A49AC136E117707568E132ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:16.924{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664EB33FEB0A35B128F47D63E15F6D31,SHA256=72149CFA88F290F465249029E53F06AB85BCBC826A2CF85B215B2E09BB8ED10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095712Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:16.695{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147C9DCDFE51960D5A6C5B284B92A49F,SHA256=EB6EB6EACA7B332AC4F61D6B32C23DF0B12E4AF50D1BA244ADFCB8212992E2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:17.955{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DB3A9219A7D93F8EC4887E36C95A5D,SHA256=B17844E39FD558AC887681A88FCBB8CE714F15CE8F6394A8BD6043932A917985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095714Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:17.757{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A80A8E7216405EF4DF7452481D1CA5,SHA256=BF9FBCFE9D7B8128604C00531184B52AFE381B0A0B3EFE8616415B924BEA8181,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095713Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:16.025{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:18.986{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB1BAF07006BA5F8FB0D6FD4D818FA2,SHA256=6D3BDE222A44BB1D6D49989F40771A93568ED7FCD8871849280BA0E0347F1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095715Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:18.757{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BCD68D62265173B39F1171E1AB4CCE,SHA256=8C8FFA21F57E1DE19B5B384912DF8830F75EAB5F712B4B20932A8D783B775B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095716Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:19.773{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B2D1AD8A613BB09C22A60C88D68B90,SHA256=6BEA2341D59C0C0CAF6419D6FC1093C63A36E99FC214848FB71824B566CD6A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095717Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:20.855{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF8CC7AF9AB4FABFC13533BDFCD024D,SHA256=DF5C716B1C931B1DDD5570BB6E5AB0A080B1F17A270642CDD1D456B1AD9BEC82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:17.582{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:20.002{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C0277E0197F5FF3E8051B805269D4,SHA256=767647DD369DA9D12BC6C5E6FC0A813C3A1CF17E6B2DE778FEF7FF4FF07D6FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095718Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:21.949{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C140B06F6385FC17D3B5DD0DA00BF3,SHA256=1749966A234FB8896849075B1BE9E331B049A8CF881352502F49B0178FC16BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:21.158{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E342C41E151F4247F44F1138C9D92DFA,SHA256=455843D0746774F67195FD3AE1A1498AEF2ECA9D7E9AE8D2CB98CC4B0A47CC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095720Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:22.950{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE096904B609ACA95DFE81AC63FE72,SHA256=E94F037797492E4B7EDE511F5DF45835969B81821E29D9AFFA86225A838D6EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:22.161{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CF922579C6A3A128EB4AB61B55E7D2,SHA256=81E542D3DF249213D2D51AAAFD0DA900FE540546187B21212D62C78092400356,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095719Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:21.045{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095722Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:23.981{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC62C9856484E23FD7534FBB87DBFBA7,SHA256=B56BF6366BB5C8C455E43A140D8DFBC79414AB8D82BB4727B6C2BF0979E7B78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:23.174{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D6559FAE826EA979E7B389F3C31464,SHA256=EA6ACE3CC0135E676516B651DE01BF1336D570B3D91D5F41BE22D3013437E1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095721Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:23.156{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-056MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095724Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:24.986{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9C0240F54967C87B518B1FF4061EEF,SHA256=55D5343676E05B4C7A82C7F7506F857D56232A35C8213E674FA89CB33A9A5191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:24.205{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24591937CA287FA69EFD6752F71FD8E0,SHA256=29C09CF2167520CE8717BF9E52EA95F7DAA73E4D1500AA259CFB0C50D9319BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095723Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:24.170{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095725Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:25.986{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1026A79AB2F2FEC9431ABB1542BC88,SHA256=BF8A3BC137AE2C641312BA3B2DBA7B6CC27389B3E158B4C9092086EC622F0AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:25.221{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37E2B89018144F5EA69AB6721F1E26C,SHA256=67E7FE74406360DE820F9BD7E3A8D42071DC5F4E36E1F0808E005D36055241F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:25.096{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9CFC1B4128137A7A43A8CA707D81DFA,SHA256=D149678C375F758C59A56791E05EA8A8C23639D774C8C5E37C942ABC739FFAF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:23.535{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:26.236{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02319989BD58C67AE93714C12E9393A1,SHA256=842986FA07325DFA5F1E642CADC556DA43675FE6E916395235280E24246AA5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:27.236{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DB5E0BAAE85A7965AB1998D16B4C04,SHA256=A79FFDD904C6D96BCAE9E7664FF36BFC2BC94E4345815F44981445D9DEDA4249,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095727Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:26.066{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095726Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:27.017{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38DD5D27C0636D135134A66E60E21E6,SHA256=DFB5AD26501F531F077CD2650ECEE13883CD5EA4267A14DBFD3303FD829935B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:28.267{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35B527E8A72F934E4490319E9A92075,SHA256=B227DF84AAD4626D6D10F8827D9D6C381171A64B89427CFA6B59FB80859012D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095728Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:28.033{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA56543378694CFB231DBF98DEE0C01A,SHA256=9DDE431F5A3A7987D34E959E2C9165297BFB00CFF422C78F7C8E71AA46CCFFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:29.283{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B5A15A807B99E334564E5F3535BD9E,SHA256=0F23BBE659DC00C2BBB14451CEC0B25D26D57137E1475E01C1FFE84851C71758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095729Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:29.033{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24E5335F3CA449E6E89CD8D6009EA1,SHA256=16CC72FF13C3E81BCF8377206078E8992BFAFFB691C8D89BFAB64E23F84F5C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:30.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA1A71DD542D8490C8BA99FC4BEE28,SHA256=8FB38E520FA9951B2A5851111DF01A79E0D507022CAFE90740FC87B745EA4E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095730Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:30.033{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8C4A326E399144AE0179A711EB589F,SHA256=AA25DF02D1FC2B7896172BF26601FF41EFC33090E704173E82FA9C8C37D65E7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:30.049{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:28.660{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000113410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000113409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003644b3) 13241300x8000000000000000113408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0x2b77f383) 13241300x8000000000000000113407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa4-0x8d3c5b83) 13241300x8000000000000000113406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0xef00c383) 13241300x8000000000000000113405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000113404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003644b3) 13241300x8000000000000000113403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0x2b77f383) 13241300x8000000000000000113402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa4-0x8d3c5b83) 13241300x8000000000000000113401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:25:31.330{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afac-0xef00c383) 23542300x8000000000000000113400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:31.314{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F4379CA82DE4263E902AE902B5C6CE,SHA256=EFFE79D2214F77FE49B11165C909AACA477F1230730832A936902F6BA164FC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095731Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:31.048{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADF31B45D56E59FFCF6B213082317CE,SHA256=1A1225515F4EDF746B1AABDCB0BB67D8E522144580B6F4ED28E869C853F93759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:32.346{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7DE00EF27B2D9993858B76514AB1FB,SHA256=E30D9A9A22711F4CCCD64E22BF309C0AB1AC0A900D89176DAEA124925BFE7D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095733Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:31.113{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095732Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:32.048{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEBD63D5BD6B4E4D1A4130925E22C00,SHA256=95B2CA72584AEC8B5C1525694811BE10D2F6E7D905B33338E3110BFFDCBC69BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:33.361{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C384B9DF6EB49750EB333ED7CC70A70,SHA256=E367AEE6151CC61C7EE2D55C47E23DDC4CE32F5AB608E5E2B26F8784542F7F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095734Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:33.080{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EB92A8828677D46510D750EE288CF0,SHA256=763801D037300D23019DFF604660A3EFC805BB4AE192949060B17885F086EECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:34.377{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA1AD26855388FF4A0E6FA50A0695A1,SHA256=B2D095765F68B5E59B83A2ABE20AEB437477EA5FE157D1DF6EE972C70E6807E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095735Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:34.111{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A076220C7F3DDD2F48288D6AF438769,SHA256=0AAAACFD58069B6FC3ED6961F508CA6B42E4556555E4E568DA406D810F789546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:33.691{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:35.392{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D616D3EFDD325B955FD23430A74F339F,SHA256=A4C5566E4846AF3ADA0A46CAEEACE343B8A8A25F09C7C9C9408A03146618AAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095736Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:35.142{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366800278BC1368119E91E5649478E5E,SHA256=4A9F482A1ED4EA07D3619C902DD0DD854BE42ECCA235096C1AC7349B1F573C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:36.439{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EC3056AE1B740C62F2E5E104288EC8,SHA256=564755B1CC8804E52ACB629EBBCAC22A7FFE93CE526CB54F4D345B20F9A09185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095737Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:36.189{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B634F4DE40C8E7AB3468ED2234723E,SHA256=98437E5BB78D84EBBE5262F04920DBF57B98B2BED60CEBD6CF6920AC8452F472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:37.486{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCFCDE6EE87493A53F30F61A23A6BEA,SHA256=49D79233B07B7EAFE019F58349AEFCB52C0BADF08C125248C4973EBEC8666E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095738Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:37.267{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9942E00BECA535BE0BDAF248AAC07F6A,SHA256=B5BD01D67B54188D97647E1A1A24D3D75232EEE1BB587230EC685586547ADA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:37.064{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:38.502{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692F7056DE191C8DC0C9B742ED10FD1A,SHA256=797F88103F9C883F401C22B5790BAB7B9E64455707B31567B14D5704757073D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095740Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:38.267{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB796B725ABD6E2951E6A652C24CC3D,SHA256=647A1330EDFEF59FF8D7BD278BB1A6464A57DD447DD301C29BD917A3A30084A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095739Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:36.129{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000113423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:36.535{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000113422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.627{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.517{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D06130A0F4F064CEF26FED435FA75D1,SHA256=3633195C8BDEECF356C45AE4A72BBECBD4E93B5B69B2BC6FC67D3D17D9A8A115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095741Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:39.330{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A036CB8C99AD30C4144C677FDF01743F,SHA256=AC2B34ED5623E7C88EB247AE12990589A599B423806A9FDE3AF39233ED9959B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:40.549{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BD9C47A4A406D901B40EF4D885DAFF,SHA256=81779C0F7C5D5DD4E43D50BE0ACBE997686A4C035B3C8AECB9A46B03B233E350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095742Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:40.371{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D645CD16E4303900FD6D3F2F5BADFE,SHA256=08CC4F8C2D08B11863A98CF9FE23F1805B5651913E13087C9F902A3963EF780D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:41.580{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BE22A0A00DA09377D109EE0B852F20,SHA256=381BCE9B5787CA74FC1296CCBCE68BD1A16832E958C212017D373BACED165A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095743Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:41.371{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDBE75094ACC7E03B08858FB2085FB7,SHA256=F7FB41ACE32A045A9394D633FA9E52155318B2D9C59F5F4C8F81C9A7EF7B63B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.707{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000113428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.342{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55925-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local49666- 354300x8000000000000000113427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.342{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55925-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local49666- 354300x8000000000000000113426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.341{D0132419-04CF-614B-0D00-00000000FC01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55924-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 354300x8000000000000000113425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:39.341{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55924-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 23542300x8000000000000000113431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:42.611{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211174C525FC93233BC0C4AEDF1726FA,SHA256=40EE7556E273256FD5E3869FBC63AA3DDE279EBDEB2832BD0BD7213DC20C45C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095746Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:41.155{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095745Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:42.403{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC21F0A76CFC612864EAB7535A7AA586,SHA256=0166857E14BF441774766A9263A6D904132B20BA894B5F8AD7CF7962D56C48F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095744Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:42.074{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:43.674{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E840F0A5B2CE6E33DB8DFE353D2CE7,SHA256=971AB26472AE445737EFD9965163E29E2DE90017A5DE179F642C48DCC377288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095747Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:43.418{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43CE45C5FEA781CB4EE168CE4811582,SHA256=379E37138752963E8220852E6F55BE42623577F8E9F50208AB5AEA087214F021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:44.705{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485557AE70FF1B9158AEA5054D678AE,SHA256=DFC12DDCCC7B7F9939F8091F3F4290AF3955396C42BFD2DFF19CF9233AB85460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095749Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:44.450{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042A6C3343AFAA2F12D81F0D01503688,SHA256=09F0D5EC4FF73AF3219948784F58D847210CDC971A422A09D49B9C62583C131E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095748Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:42.014{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000113434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:45.721{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2C5AE67E054DB532345AF5E110D725,SHA256=05BF2BBFEE9B63119E6FA63FAF96D201D54541B79DB2E3315E97706D45E68A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095750Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:45.512{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C425F7D35D72D95D9550DDCD6F9D005A,SHA256=8C12709591F783D1E69980162A05599DB6E8608D8EE6BE01F1EF4D2B81886342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:46.721{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A79F83E4F7347EB427FAEDACF8DE48,SHA256=8BB368D3EF665C2DC083D89F8157D4ECE2345CC7D0F4D41ADA4063A77BFE3148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095751Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:46.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71D8AFBCFDCF0B57460B286ECCA010D,SHA256=3FD010F7690BFB0EF7F0A31D13665A26A64B75F39BC6C598A05E9A8A7AF660A1,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000113435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-09-22 11:25:46.064{D0132419-0A66-614B-5001-00000000FC01}4192\UIA_PIPE_4192_000073cfC:\Windows\Explorer.EXE 354300x8000000000000000113438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:45.587{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:47.736{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89482FA688BCC3D099E8AF8386AC228E,SHA256=E1C70736F677B7A6F1977668AB79F9A789E9180D9018FF5C05CFF6D92328402B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095752Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:47.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E7237F91DC46846C946BCEF74C7B63,SHA256=FE1409C12CE58763636884F6976563E4FE2C9DBC200B14745DC03BDDD4F628DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:48.752{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C137291FBE4B851C888B70EDEF49524E,SHA256=DE4FA503AA95E315B5D25B613FDDABD6E69C7FB7DDAC303C6FAB3F80BD8856B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095753Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:48.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BA6C1B91E3508CA24B54BF25B4130E,SHA256=13B0DCF36F60135F253E9CAD9BD81912B386EDE064A38CAF5E35D741F811BA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.753{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7D2678276CDC7EF4843C13F3158A67,SHA256=FFE42BDE8A3BB4337BB974EFBFACDCC57E7F5E051ACFDD02C137333A6159F8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095755Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:49.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB26389759A4AD3B47B1EB24A14394E5,SHA256=1FE35C8689BE5F0C7C1214DBA7388941B16F5E29BE480BB8B49D1A7E994251E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12BD-614B-8002-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-12BD-614B-8002-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.564{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12BD-614B-8002-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.565{D0132419-12BD-614B-8002-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.377{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AppData.lnk2021-09-22 11:25:49.377 11241100x8000000000000000113443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.364{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk2021-09-22 11:25:49.346 23542300x8000000000000000113442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.346{D0132419-0A66-614B-5001-00000000FC01}4192ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnkMD5=6E376D000765AC0E2D4FE30C756FDFD1,SHA256=68D5DB90E24A2F9CFC102640361A44AE303FC8B50341E248A6990CA220DE1C75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.346{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk2021-09-22 11:25:49.346 11241100x8000000000000000113440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:49.283{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\WIN32.lnk2021-09-22 11:25:49.283 354300x800000000000000095754Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:47.124{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12BE-614B-8202-00000000FC01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12BE-614B-8202-00000000FC01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.971{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12BE-614B-8202-00000000FC01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.972{D0132419-12BE-614B-8202-00000000FC01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.767{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17135492E9B9019B006ADB624835CBC4,SHA256=730CF95D17308A7FB9DAEEACAA6AC26D5AF1AA7F6D96E4BDE2A4302C22B39E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095756Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:50.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F977341B7178512D578424BAF2704EE4,SHA256=C4004838D09CF6555E8D8AE3BCC889246662DDCA4DA75EF031F0F101BAD9ECEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.596{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=782D321F4DE892DDDDDBC5F038F73B6D,SHA256=EBD0F405197013474FCAC3A719CFBC7E228C329E361AE9E18A53A13E1ED5F193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.596{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA2B4C9AA0189B327441C462DF33D0B,SHA256=4F75533A3820C0B1D8E54021AC4599A8256816A8B7554B7EF178B75875511B09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12BE-614B-8102-00000000FC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-12BE-614B-8102-00000000FC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.455{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12BE-614B-8102-00000000FC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.456{D0132419-12BE-614B-8102-00000000FC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:51.814{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265753CE8F8D0D65DD2995F061CA41B6,SHA256=1FF599351AD6AFCE906B0BC35189B3229CE2D97F70C37DD93B632865D211DCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095757Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:51.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C8719964A8AEE115BC04EBFE27D9AC,SHA256=FE2099CDE305D84A2048292A03875C5D0251AC94B7190893753F40A8E4ED10AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:51.142{D0132419-12BE-614B-8202-00000000FC01}51645640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.504{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55928-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:50.504{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local55928-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000113476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:52.830{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E848939076DE709F29267AA1497163,SHA256=134E2FF47C73E4CAB69E7101B6C4533627FD4FBCD6CA56E0B4B749CC514E01FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095758Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:52.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EE823BB9CBB07A0652D7B85E11DFC4,SHA256=AB89C27899EF698A95AFC0B880589873701790CB2A5F2A03D75FC5AA70ECADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:52.002{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=782D321F4DE892DDDDDBC5F038F73B6D,SHA256=EBD0F405197013474FCAC3A719CFBC7E228C329E361AE9E18A53A13E1ED5F193,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:51.503{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.846{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712DF19D44D3C8BADE355AC73F409711,SHA256=A70462EA1A35B6D7AB82E082C657C99BF8CF093BC0A5D5D2D68557745E3A8EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095759Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:53.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0221D5A662BDDE65A4A865DADC7C9AB8,SHA256=0A8619F60CE14A3925A479185CDC251A31549D84AF866735F114DD1ADD6B59E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.705{D0132419-12C1-614B-8302-00000000FC01}45085600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12C1-614B-8302-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-12C1-614B-8302-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12C1-614B-8302-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:53.549{D0132419-12C1-614B-8302-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:54.861{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE2955A50430BE69F1EA92D1863570B,SHA256=DF0ED1D5196B1A3F4689051D364F1E20C8CAFCEAA6CF944923388A43C3783AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095760Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:54.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D58A06B1FEAF9C1C33FE00E0023601F,SHA256=D8724741295B8D3F4064703707AFCE051F23BD804052B783755010CF6F8495B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:54.580{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9405B94437DE5F11FFB63A1BD9E5B843,SHA256=39C71C090C67F9D7B636F6BF290409EB24EDFE12C6BE10FCA6402E41F909B4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.877{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B1DE4624369EB90F953180A04CC9C2,SHA256=2521D2ABC7F5A75C045FDD10792BA66BDE0F16C4FD207220DF749A79F47E3B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095763Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:55.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9180DE5373C0751DA062BAFD88F2F89,SHA256=8B58248A7E8ED27F550DFD050DB56D6CE8551FE0DFAE9087D457E0DBBAF7D023,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.502{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AppData.lnk2021-09-22 11:25:49.377 23542300x8000000000000000113497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.502{D0132419-0A66-614B-5001-00000000FC01}4192ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AppData.lnkMD5=0F48FE9828DC764B0A633F0D46DF99A7,SHA256=FC97FC489B14ECACC5374915B9D67C3B5E6D9DD092E1FB50706229C2BA4FE3E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.486{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk2021-09-22 11:25:49.346 23542300x8000000000000000113495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.486{D0132419-0A66-614B-5001-00000000FC01}4192ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnkMD5=39916818B3E03286124F17235DAEBE9E,SHA256=F529269CB13E9BB37115D7C1BEA85D7D6E81079C0C6BAB7A4285BC8E92365F05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.486{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk2021-09-22 11:25:49.346 23542300x8000000000000000113493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.486{D0132419-0A66-614B-5001-00000000FC01}4192ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnkMD5=6E376D000765AC0E2D4FE30C756FDFD1,SHA256=68D5DB90E24A2F9CFC102640361A44AE303FC8B50341E248A6990CA220DE1C75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:55.471{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\audio.lnk2021-09-22 11:25:55.471 23542300x800000000000000095762Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:55.340{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=11916A05463173AB85EF3A47DB370F75,SHA256=28C636046D2D7ACC12FDEC2FA7F633E81185D3E014F3AD242E42F99F522C2423,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095761Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:53.124{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:56.892{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E049AFA390DA56817B18A3B68886E7,SHA256=289CAD9F90B3357B51C7F35F81A4295A5978F5CB1867BF74CD0EC1F92FE0327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095764Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:56.543{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B25D4C91DEF872514ADCB71EAE529D,SHA256=B528BEA523EC6DC4766FAA41DC5F7EA1A4DAFE5550F438737CADEAA83A41ED05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:57.908{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B7EF532EF7FE8F1B35F001F6DC22AC,SHA256=96108ED631EA6F2D30E950C09E0E659B7DC2B40B058EBE15DCAD26AA53B74D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095765Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:57.559{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F90FFFE742F14165E93361D02732F,SHA256=7FC1E14D1FD4B84D1AD480823E8CFA3FE817C3F25A1C2753DF2F71D5794CE990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095766Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:58.559{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B014C8D783303ACF2625D9043668CE26,SHA256=5055752F956C30FA0D1B36E2ECA00F3ECA3E92C428AB3EA41A4C92D74DB98059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095767Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:59.559{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FB9FB39409CB0CAB787D13B01B5DEB,SHA256=DDE7F231CAEDB0157631C822EB85660A64070D11E249B4CAE0DDA7C7E646C76C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:56.707{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:25:59.002{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AB8108C8BF7B975A99E0EA9546B364,SHA256=14BB9258AA992152516B4B070EA2AA0A6574E25830220D4D4538E9A9E3779EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095769Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:00.571{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167DF518D6669A59F892B478D558E855,SHA256=D8B620EE5816D3EACD281D3014DC721A3149235E09065F7C7C6FECF263662BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:00.002{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB422ECA8075C78A235D34920689D91,SHA256=2ADB170F57A3BE2C66F04D4CC2C92D2A7BC67D2D91BE66D5D46BB63C8563ED42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095768Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:25:59.046{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095770Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:01.571{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B176290B69D946668B31441B89A8BFEB,SHA256=A5922B3A43E815BA5FD12FEB1D9E497B9F91D802554AAF66AA949E13B1EF120B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:01.267{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\WIN32\New Text Document.txt2021-09-22 11:26:01.267 23542300x8000000000000000113505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:01.049{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9776C1952832157B28F64E348EE332,SHA256=5E867216046B3DAC8FAC20747E3DDBEC919331104D615D7B568FE4CEA5F8F630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095771Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:02.571{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D7A594FA563562878E49477C1315E4,SHA256=DBB9894736222C6B7202920E104C6400EF5E8151A039168FC2AB35444DC5D075,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:02.314{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\WIN32.lnk2021-09-22 11:25:49.283 23542300x8000000000000000113509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:02.314{D0132419-0A66-614B-5001-00000000FC01}4192ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\WIN32.lnkMD5=85ACC86F0330E5DC6FF0AEEF56578F88,SHA256=4591B784B6B20852D51246A3E44D103CE77FBC82203563DB3613C862117BDB59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:02.299{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\New Text Document.txt.lnk2021-09-22 11:26:02.299 23542300x8000000000000000113507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:02.064{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63434B9A19CA21E51C42F702750D5359,SHA256=9D0417A1D6EE0C5D42478F5426A6E8ED4391FB94E68AAF777DE3F9E9313A2B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095772Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:03.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90FCDDB5D44F9C73881ECF5EB40DD3B,SHA256=28027AD7A54ECE3036F7FC449BF1DE8BA972DFF86FFFE39187F43018FAF868B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:03.314{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:03.236{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:03.080{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DDEF7EA58ED617249CF08DF1904568,SHA256=D376A4A5076FAA24F09E54C3E7F353EAD5A164A550638B037E83DA6113E66960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095773Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:04.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45EEF0B46A54E09F7B1DA118D7EA7B7,SHA256=5166C0CFB29CE0AAAF124E398A4353193E1DC5CF699711E5C004ACD1160F0948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:04.096{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098998E53A7F7E35800EB992CD07F60F,SHA256=DD7912DCB0E226D83DC7E0861BF39D7EC681A52B6A5D095F06A6DB11610AD0DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095787Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12CD-614B-3402-00000000FD01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095786Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095785Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095784Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095783Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095782Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095781Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095780Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095779Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095778Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095777Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-12CD-614B-3402-00000000FD01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095776Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.962{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12CD-614B-3402-00000000FD01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095775Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.963{601D2BAB-12CD-614B-3402-00000000FD01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095774Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFBA2256428314BBEF77E4CBDBE9965,SHA256=653C1BF59F49752294A0DBE0699F745EE027101CA59A19359537B327AB98F782,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:02.628{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:05.111{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687FFB408D860208170837BAE051B734,SHA256=C266BFA280C9AAD91E9D1B1452F415C58F01A73B1E6699E3853BE98787CC66D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095790Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:06.993{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1EE346F21DCAAADFCE8B89CF469156,SHA256=CA2B840388405F64DFAF5943F94DB7589662294A88E90DA43D304A8737FE4C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095789Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:06.993{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21CF702DC48D4E2FC42843506D45C92A,SHA256=4400D3ABBAB1509E78B198A732A14626167004AF52CFDC05A186972EF7E4AB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095788Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:06.587{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB130A4E939256D7F4157C2EA009701B,SHA256=E8C249C8D76DD5C5F462708F4D9A1D49B5C99A980C9B717DF9F9450D7D50CDF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.895{D0132419-12CE-614B-8702-00000000FC01}60485420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12CE-614B-8702-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12CE-614B-8702-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.723{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12CE-614B-8702-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.724{D0132419-12CE-614B-8702-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.549{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.549{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.549{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.533{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.533{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.471{D0132419-0A66-614B-5001-00000000FC01}41924428C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.471{D0132419-0A66-614B-5001-00000000FC01}41924428C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.471{D0132419-0A66-614B-5001-00000000FC01}41924428C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.471{D0132419-0A66-614B-5001-00000000FC01}41924428C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.455{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.455{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.455{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.455{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.455{D0132419-12CE-614B-8402-00000000FC01}3644924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.439{D0132419-04D0-614B-1000-00000000FC01}3883948C:\Windows\system32\svchost.exe{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.439{D0132419-04D0-614B-1000-00000000FC01}3881348C:\Windows\system32\svchost.exe{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.424{D0132419-12CE-614B-8602-00000000FC01}5880300C:\Windows\system32\conhost.exe{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.408{D0132419-0A63-614B-3F01-00000000FC01}30761764C:\Windows\system32\csrss.exe{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000113530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.361{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.359{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Users\Administrator\AppData\Roaming\WIN32"C:\Windows\system32\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000113525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12CE-614B-8402-00000000FC01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12CE-614B-8402-00000000FC01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12CE-614B-8402-00000000FC01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.221{D0132419-12CE-614B-8402-00000000FC01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:06.111{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4507F54EAB87B441F0615745707A58AE,SHA256=734D1945FFF250064B2C45342CC2D33101FC489EBABC898583DC6A8AC193B182,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095819Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.852{601D2BAB-12CF-614B-3602-00000000FD01}19843236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000095818Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:05.043{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000095817Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12CF-614B-3602-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095816Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095815Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095814Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095813Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095812Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095811Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095810Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095809Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095808Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095807Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-12CF-614B-3602-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095806Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.727{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12CF-614B-3602-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095805Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.729{601D2BAB-12CF-614B-3602-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095804Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.602{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260F9B0E49B9E47CD54FA974A18E3280,SHA256=63B0A6EAAC5AA92BF76947B63628D50D7A3A6E2F0C104B37AF267855EBBB64CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12CF-614B-8802-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12CF-614B-8802-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.304{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12CF-614B-8802-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.305{D0132419-12CF-614B-8802-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.232{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A25A2A52B7384FD33CA24C35B9EB09,SHA256=DF327F34623657D9CC0661D172E45E3CDD4672ABC084EC0CEB681F0F6F3ED3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.231{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC07DB8B40278B2C08A936D683352F5B,SHA256=14F0AE97D80FE8F5F260E7FC3B772F307216286A57B959DB60634F134E476B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.164{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-057MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:07.145{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B27D6AA115A91B7EB35421F40134ED,SHA256=441C788773C41841F9387528D421B8A7F4EB628C77246982F077F133E45D9ECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095803Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12CF-614B-3502-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095802Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095801Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095800Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095799Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095798Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095797Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095796Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095795Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095794Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095793Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-12CF-614B-3502-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095792Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.102{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12CF-614B-3502-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095791Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:07.104{601D2BAB-12CF-614B-3502-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095821Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:08.602{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA33E74FE7A3733200B0AB2E542BCB,SHA256=B7D48201D7E41835CEBDCDA03D41AA46A2171D2AB2FC94C9E8C2FE7D7229F62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:08.537{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A25A2A52B7384FD33CA24C35B9EB09,SHA256=DF327F34623657D9CC0661D172E45E3CDD4672ABC084EC0CEB681F0F6F3ED3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:08.164{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:08.148{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743ECE968DCDD8EEC3654208EA62DAE7,SHA256=AB53D7962372A73B7839B969551D74545FDCCCA1181CA098CB97EF0080E11060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095820Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:08.165{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1EE346F21DCAAADFCE8B89CF469156,SHA256=CA2B840388405F64DFAF5943F94DB7589662294A88E90DA43D304A8737FE4C8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095836Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.884{601D2BAB-12D1-614B-3702-00000000FD01}3704864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095835Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12D1-614B-3702-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095834Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095833Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095832Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095831Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095830Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095829Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095828Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095827Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095826Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095825Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-12D1-614B-3702-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095824Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12D1-614B-3702-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095823Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.759{601D2BAB-12D1-614B-3702-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095822Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:09.602{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05265506F3EB61CEB85A5D8FA2B572B,SHA256=A7D6640D89B2138884A7D95702C46CF3088FFB7C12BB370FDEEF3E3F381BBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:09.165{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852794E1838A4AA22ECBEB3A840CFBC4,SHA256=94FA841B8EADE499CEC2B54DA0D8B4CEAEEB3EBF4F7A222CACF79C769F681D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095865Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.993{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842A37539FF9D7292440B1AA5596BAA5,SHA256=0754C014A4AC0A322AE804B95CAD1C3D194D0D9D91DF412384DCD48DF6E7C927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095864Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12D2-614B-3902-00000000FD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095863Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095862Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095861Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095860Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095859Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095858Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095857Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095856Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095855Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095854Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-12D2-614B-3902-00000000FD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095853Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12D2-614B-3902-00000000FD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095852Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.980{601D2BAB-12D2-614B-3902-00000000FD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095851Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.977{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB047BD50BA9FA67320546843B0D5614,SHA256=EF2D2744547BE69482EBEADAE436C6974C3AF99D3647A86E2E052E6EEE58174D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:10.181{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F347365E9EDF186599425B95D42AA,SHA256=18EE6F4459FC28E672D9EB5739AD171D86D5B316395A4F376AEE87C698776799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095850Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.587{601D2BAB-12D2-614B-3802-00000000FD01}12243196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095849Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12D2-614B-3802-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095848Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095847Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095846Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095845Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095844Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095843Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095842Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095841Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095840Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095839Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-12D2-614B-3802-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095838Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12D2-614B-3802-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095837Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.431{601D2BAB-12D2-614B-3802-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000113578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:08.604{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:11.196{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A754FA4352F7F8D8745EE8E3FA4EF64,SHA256=BB44B60C60F85D4A1C6F842C6E72B077E0C77FC895F3C1454F606DA1C0BC8C89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095866Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:11.102{601D2BAB-12D2-614B-3902-00000000FD01}944840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:12.212{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2C3BEFA4C2E999177E4030361B6D88,SHA256=1E25074B1B98B9753B289821CAC1F67F865F8174E4A89DA0F3884E0632DBFE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095868Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:10.120{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095867Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:12.087{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D693A092871DDCF3D0C699152B19247F,SHA256=791F5A522198095260202B0B7A11D259B1495C169982C20582EC9CA69995E73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095882Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3295B0E83E0EDD408AA505DFF0F50FC,SHA256=80235B89F5ADD65F1B7A5E686C0A13B7C50F7AB43F3682ECA66335B8651DD81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:13.243{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93FCBD093BA9810AB51B7B587513786,SHA256=C6C5F5B8E82E20F27E60648CD4C35FB88DCA7F87840D87593FAF1E2B22B6C6C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095881Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-12D5-614B-3A02-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095880Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095879Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095878Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095877Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095876Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095875Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095874Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095873Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095872Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095871Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-12D5-614B-3A02-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095870Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-12D5-614B-3A02-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095869Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:13.009{601D2BAB-12D5-614B-3A02-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095884Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:14.118{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2600478F8B2BC4E3E4ABA25FECE08F76,SHA256=F5BDBBEAD18DCB3174B4A7BBBB042F087E4C3FA890E91C6F268A5AC619E5DB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:14.259{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56571E96687A71E8A729FFFDCA91DD49,SHA256=D18EA40AC71FFD75FDBDE15E613E91C64C39A31DCEBACA3CF077E0D15DD714E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095883Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:14.024{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5F91F3D8B0B0FD31C5A706631E5AE3,SHA256=39A1CFB0F200DE8DBCD65938C8B47E3D3644D1BC7E15480ED09F3C0880F0B56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:15.571{D0132419-04CF-614B-0D00-00000000FC01}9085648C:\Windows\system32\svchost.exe{D0132419-0A65-614B-4801-00000000FC01}3144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:15.571{D0132419-04CF-614B-0D00-00000000FC01}9084908C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:15.571{D0132419-04CF-614B-0D00-00000000FC01}9085648C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:13.635{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:15.275{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C88CF74604BFFDE09E8EC7A14DD6A,SHA256=BA5172C1CE71456C5D3746FEC31E0216A3D9688755641620974091A91DFE8857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095885Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:15.134{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFC0BF2C8C5802686D5B73DC11FE0D3,SHA256=D033C66C5E560918D5A13CC026BB606C09922236B1C6304A8530DE0C91B2B5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:16.290{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79108E6B3E398F734B58A54BC18F7130,SHA256=E99894E0E48CC72EA6196ECF447B71D163BAE24ABC71A4A65AAE74C4FE67E2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095886Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:16.149{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B08A28343311A8BA96C57E00B8A3CD,SHA256=B363D507343E420C0B75041CED71742AF38639C740166B98E4E416C2490B31C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095888Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:15.995{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095887Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:17.165{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1CF8A4E8A5E5BEDFC545592C1F47BB,SHA256=5AC9405F6B3251043917088B02C9F0A56699E1B3B673A7A2117996B720C3C224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:17.307{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5184005129A6CD8D0D9F92C2BAB53B,SHA256=BC8EAC7272EA3AAFC09FF35F1CF55CEF18D0C6DCB43C2412BDB84902E8EC96C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095889Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:18.181{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA3E8C39A7C6AA42EAD88B3BB034BD,SHA256=5396C743E2B264D40940AC8BF22C21ED9A3B35887736D5A63CDCDB689ECB76AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:18.321{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B808AD1F00ACD69F3881F6B3CBA9D6,SHA256=2FBA48180A501E8426B909933EDBA0890C353A03EB1026DF5065322B99A86DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:19.337{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E839DDF57B53835A6647A410721F35,SHA256=B70B6908493B761D13C43C43937B7E7A19C7C7BDE864D852214FC6F43AC3EB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095890Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:19.181{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C857AFFC9E8950C0A8E22DA8348A2125,SHA256=7F5C7A16AB5AF14E5E328C05923C5382056018B29FFC3167AF89105D4CA55CB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.837{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:20.353{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5D940A5A7E0D630815ED00E96D6C41,SHA256=764BDAD72388D10A02D0D29BD4863A66FE95F3D02E948A5598EF04766F1E564C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095891Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:20.185{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0DDD971687073D10B9153FBA0974B2,SHA256=6DB2750DCBA2B0D5F9A71D4F13FAAD50490FD8635547A1CDA6EA37EF4273B64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095892Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:21.200{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ABD3F8DF7A4CC7A842DFB5EE4A9B5F,SHA256=8CC3E69E9B8FAEEE0F2F95C4A0C69C15870A71D0CB7F20375B51B677685E6B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:19.573{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:21.368{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41B95E968E50AC345393D84006DF39,SHA256=F29EB0A06FE3CFF59CEDC298AD3EAB7DA001084CBDFEC1695927BE480B69363D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095893Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:22.200{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDB353F67F57B0327B217DBBCE3D515,SHA256=720C5D2A791A89B0CD4370604FAD060A7F04E03F70F9B700DA13324AAE1EFF23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:22.728{D0132419-04CD-614B-0B00-00000000FC01}640844C:\Windows\system32\lsass.exe{D0132419-04C7-614B-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000113601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:22.384{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ED99B4B8334E6FDA8060BE8610FA34,SHA256=B2B87DAD717F4F1D8B8E53F2F96096631722A88296E22C389C9D33EE711A80BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:23.743{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4476D8EC23D353659C1F4A539239EDB5,SHA256=D75EF8ECCA105F76491CBE6552FC1E251EBDE9D9D76D3E4C943346E4E3F38C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:23.743{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A7BCD07A46980AC3215253337F01751,SHA256=8EFDF7CE4A48D06891B0153A1AD677C648A9F6D72C79535065F734F554C985E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:23.415{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F268613A9EA601287233AD34F0B2C9,SHA256=CB9390A9869B36272A6B926EB5BA67D3D0C31F8DADBCEEA0DEE6A78BBCC28A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095895Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:23.247{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B20F54AABD4AC81375B0FC01FE55399,SHA256=4B61EEE4F61126B042D6F4A3E0732F6E0215528285AC2EB5BF2E49EE26564A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095894Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:21.062{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.900{D0132419-04D0-614B-1000-00000000FC01}3886128C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.900{D0132419-04D0-614B-1000-00000000FC01}3886128C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:22.216{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55935-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000113607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:22.216{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local55935-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 23542300x8000000000000000113606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.431{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4C41910E0A5AC3EA2B46632BFE0B1E,SHA256=AE8BED5AC449CD3F2D2E16E07162321446085020546277F0879A1C8A06678DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095897Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:24.675{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-057MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095896Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:24.251{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3629E6F19A89F7D88FCF963E9344F7C,SHA256=FA2AA0487EF132778FB4A1A1E82CA5713EFBFD016F00376D6D8F228BF92B10E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:25.446{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AA21BCDCCB32BCD3CC1337A220ABFD,SHA256=6F9EDC0AF9F6B1E3851534947FF27CE743E64EC7480358EF12ABA4653318D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095899Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:25.685{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095898Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:25.295{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3531F1161F2C419AF037A01C370EEB13,SHA256=DF27142CCACB0DCDD7398C0F4AC4E03E77E61F64F0C3E119204AAE978905DF46,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000113623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000113622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000113621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000113620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\LeaseTerminatesTimeDWORD (0x614b20f1) 13241300x8000000000000000113619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\T2DWORD (0x614b1f2f) 13241300x8000000000000000113618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\T1DWORD (0x614b19e9) 13241300x8000000000000000113617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\LeaseObtainedTimeDWORD (0x614b12e1) 13241300x8000000000000000113616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\LeaseDWORD (0x00000e10) 13241300x8000000000000000113615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\DhcpServer10.0.1.1 13241300x8000000000000000113614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000113613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\DhcpIPAddress10.0.1.14 13241300x8000000000000000113612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:25.384{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cfca55c0-d44a-4b3f-8684-50c830a64064}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000113611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:25.103{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E9EF2E61B6B99A6F042BB81BBC9E52A3,SHA256=32800155CF17446F2737A4513DD4BEA3BDAB721235E932ECB56BA0D53CA1D432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:25.057{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51729- 354300x8000000000000000113630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.875{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c840:ca43:8e5:ffff-60022-truee000:fc:0:0:af05:100:0:0-5355llmnr 354300x8000000000000000113629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.875{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local60022-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000113628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:24.869{D0132419-04D0-614B-1300-00000000FC01}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000113627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.462{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0835DD86CB82947893A1EA83D949A84F,SHA256=056CB7A5B48125CA9334C490C167A48DC8BB14B1B4F93D1DF71CF11060652187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095900Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:26.310{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F85CCC12E3C267E20613F7E74168817,SHA256=C3DFE85316F37578F8B1E478C7969A85414FE4B8F5623BDFE17E51F307FFDB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.275{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=439EB01E813E6266D095017468F3C8E1,SHA256=FE850B588CCCA0C39A14F26013C4592F2EB3DA5AB9DCDEFF9153B496D287C82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.275{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0E07617ADA9A467007FF085FAFB523DB,SHA256=41DE38AD03285DA60AF50D94BE48B5C6391A5FF356DAA6FC4152266EDEA79284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095901Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:27.373{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579F31FF9EC89A9B587AA5AC84D56AE1,SHA256=D8BF8F72491115246AD10B53F74386C5D00C7D25C5B45D690CF3F947DBEC93B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:25.557{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local55936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:27.478{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5102A0E20E737B7ED2E10678D6F98D1D,SHA256=65A186FFC45AC64F1A396F54A6E8B89303D593472E67A99E1D7857537C521553,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000113645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000113644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000113643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000113642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\FlagsDWORD (0x00000002) 13241300x8000000000000000113641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\TtlDWORD (0x000004b0) 13241300x8000000000000000113640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\SentPriUpdateToIpBinary Data 13241300x8000000000000000113639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\SentUpdateToIpBinary Data 13241300x8000000000000000113638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\DnsServersBinary Data 13241300x8000000000000000113637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\HostAddrsBinary Data 13241300x8000000000000000113636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\PrimaryDomainNameattackrange.local 13241300x8000000000000000113635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\AdapterDomainName(Empty) 13241300x8000000000000000113634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.431{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\Hostnamewin-dc-639 10341000x8000000000000000113633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:27.415{D0132419-04CD-614B-0B00-00000000FC01}640684C:\Windows\system32\lsass.exe{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000113632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:27.415{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CFCA55C0-D44A-4B3F-8684-50C830A64064}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000113664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.929{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local53551- 354300x8000000000000000113663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.929{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local60022-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000113662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.929{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local60022- 354300x8000000000000000113661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.929{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c840:ca43:8e5:ffff-60022-truea00:10e:0:0:0:0:0:0win-dc-639.attackrange.local53domain 354300x8000000000000000113660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.927{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60456- 354300x8000000000000000113659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.926{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51885- 354300x8000000000000000113658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.926{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51885-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 354300x8000000000000000113657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.909{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53242-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.909{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53242-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.907{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local51567- 354300x8000000000000000113654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.906{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local53241-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000113653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.906{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-639.attackrange.local53241-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000113652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.904{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local50577- 354300x8000000000000000113651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.904{D0132419-04D0-614B-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local50577-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000113650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:26.903{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60022- 23542300x8000000000000000113649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:28.493{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BDA63C49ED087F55BEA694845D7FEC,SHA256=0071B7B8F2E9ACE77DDE6CC7ED18B168AA1AA619AC657E612F580EEE2DE5884F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095903Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:28.435{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFDB45DC00CD2695E427D57EACF3E1,SHA256=A8997B5E986D817DB226840F236848B8C11104B3EFE3DF81A413E24D62CDFFF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095902Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:26.188{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:28.431{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4476D8EC23D353659C1F4A539239EDB5,SHA256=D75EF8ECCA105F76491CBE6552FC1E251EBDE9D9D76D3E4C943346E4E3F38C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:29.509{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A583158FD2AEBEED285871A5BAD83C,SHA256=CC79018DE57B495318BA22BE6268AD82460CB9B13CFBE76E430CB08D7B529DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095904Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:29.435{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A7D7912B7E66731BA5E02DAC515907,SHA256=3BF9BD9C101A3FFE6ACB1388575605C7F06DDD91105763AD89D5DFD2AAD9E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:30.525{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6FC4D36F71360E596A44DF094B9F2E,SHA256=6FC3381846B7A4D83ACE2618148B4EE04211AA794E964347F2ADA626BDAA6726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095905Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:30.451{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDA7132A234232E93874F1A47E419F1,SHA256=4AEF8D7E32F2B05E1FA5D100133809104EA85DEF0464CF0DF04523069AF46287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:31.556{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2115D17D0369EA5C80C9AA01795E17,SHA256=328EF8A037B659B73E71E20A3D9B1AAC3714595BA5037EEF3DC3748435AC06BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095906Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:31.466{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B564AD5698D7B6BA8A93EC77A857F518,SHA256=930645F29EA8925AC7896AF5196D0E110BCB8AE1517E3A39AE8882C2AF017454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:30.713{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:32.571{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0910A7A81BAF07DB2EA8FBD892F228,SHA256=CA603143AF40EC7724486760DBBDE36293F00C25C49E855F5421622349C69222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095907Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:32.482{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF817D0CE86E2F0C596564CCEF3483E5,SHA256=9A7F3B106561FD0ACCBBAEC398CC8EFD081E5B4806BD850A561E92C3944EC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:33.587{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0426BE3AC5D6D9F97949C816A3F966C,SHA256=E477580B4DEB3198E0A0A3C2C346B83360CF09AEBED7FBD4CDED2A471A21BD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095908Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:33.482{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8D324E4B129AC59901BFD4BED72E3D,SHA256=B3DC2F23E6EC87D826F01AFCB7F4BEBCCC1B76A3EC1DF087A20E6574F3634486,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localEXE2021-09-22 11:26:34.650{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe2021-09-22 11:26:34.650 23542300x8000000000000000113673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:34.603{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A00560F794FC9BE0E3270DD31279985,SHA256=DB0F18F124A53B2CCD9C2AEB49DE6F032925B56BFE30D36B9863D7B2B457F7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095910Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:34.498{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CC3826EBCBDDAB0A283FFE27A8202,SHA256=64E38109909198B9AB61728D4FF8F2E2ACDC7353B43E80F5D3FA06F6D0D0426D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:34.478{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B419EFC846DDD6477F78C820C32D6386,SHA256=B00A0B80FC0BB02F2626002F46867359FF574DD7E5E768199B59EE4E01D8DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:34.478{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1DA3C5C16588B0B5F13475DE4F471F,SHA256=564772EF64643F2ABEEBAA102AC03E00F9298A0B46FA6EE79E8E7C407D8C62D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095909Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:32.078{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:35.634{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11505A521C2D9F404AB80D9701065C4,SHA256=3F5D830CE6DD60F9344965871BA2B789A6A1FC54BC089ED62FE8526DDD8AB669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095911Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:35.498{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5559BD580D6AD48B7A5913D69E5FB0,SHA256=97919E7E0D7E7994F7B7861AA228F5070FED79D22A8CC190C1C815ECFF171F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:36.650{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2A2966F6D059EDB9471A6F1031ABA0,SHA256=2CF0DADB6CC9EFE4D7B3AD8B5E9B745B69F8D269D4C5E96F43FC71818DA282F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095912Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:36.498{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF84676CB2C740488525815E68EDBA6A,SHA256=D5AC8CAD25E7E5B1018CEB13B6D599C000BB64C1BD666B9D331E94AB59C14764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:37.665{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A49BF6BDB5E5229DAB36F12A8921592,SHA256=85727AE093EAD5A460360B90A0399F73EF72CC12A18FE437833F6F82F36F19CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095913Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:37.529{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9741CEAF3EDB9424B9BEFF629B13B4D8,SHA256=DF5AAED1B1A1FE84435CF1937AFAB1D05AA71D800BE89C40B4BB307366081888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:37.087{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:36.557{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000113680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:36.557{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:38.696{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35116D7C36D397B9F1201F3C693247BF,SHA256=CFABDA03F9E0853F1FB654154304B23965D407AE810B6788A4A679AE20635064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095914Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:38.529{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F91995D333534AA5FEDA7A2676C717,SHA256=90055DF9AC565E31EC165C590CF39F090249FADB84DAB8647D5B4668D8BA3164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:39.696{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C793A79511E4717B9924EE45D6EBAB,SHA256=75338D2F0D8C0B1908576941F1037AC193D839D34FDC34A0BDCB29DB6662EE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095916Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:39.545{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDEF6F2998DB5C91B209C6943FE16BC,SHA256=10F633F0BCE4D0E2FB1CB445126FB59455091F42F23005D50987252AECECFF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095915Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:38.000{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:40.932{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:40.932{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:40.932{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:40.932{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:40.698{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79EF277DD8DBC8217A6BF3DAE5DB9D5,SHA256=74C8913A3F47F120C2F446335429E5C95AD0639C1945AEF78DFDAC3A3D005A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095917Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:40.548{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A1443C04FA9E0B559D55D04343F24,SHA256=D1DDCBB4038CCA665E6D0CF54566D1E998F4B3CDAB8A3C8DCB6E632E26721554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:41.702{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6748C867E9A452F6570D66E26CBCA848,SHA256=350D86337140EEBE3B56491C5743009C946E11023993C711513605C5C6B54209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095918Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:41.548{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E6D6E9191B05D098C700E849A0D6A0,SHA256=755FB7725F6C351FFC04AA74C20344DFBADE6CEA682F4EFCEAF048EA8045F32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:42.713{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC644FE23C27BB1CF88CF3787C7A740,SHA256=48A1264BAEA329027C30EDDA764CF8D01BE288E50C2677BCFA1EC3CCA40A950D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095920Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:42.580{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625D4502E6A8D89474F15EAF4108E065,SHA256=086FEBFD8387B285CF38EB64E945F4679C6E43F9538377517459D8DFDBCEE2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095919Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:42.095{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:43.729{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6B8F89B0A113702F2C90C34CC2E874,SHA256=41BC2CFE48EB515C17C85DAB7E7FDDAC4E8443F4CC98F66D639640337DED4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095921Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:43.611{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DACFA518C3E2D5A6A55B2B0276D77D,SHA256=BE784D40E1FD63A57C2125E8089BFFFDD314585B8C2979158115700C41FE366A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095924Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:44.626{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5675BCEA840F48170D5592AF55C75FE7,SHA256=60C561DFCF3A878271C567367EEA4BDC10E51A7BD76F460743FE14FBE72A0EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.323{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.323{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.323{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.323{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.323{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.307{D0132419-0A66-614B-5001-00000000FC01}41924488C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.307{D0132419-0A66-614B-5001-00000000FC01}41924488C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.307{D0132419-0A66-614B-5001-00000000FC01}41924488C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.307{D0132419-0A66-614B-5001-00000000FC01}41924488C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.291{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.291{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.291{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.291{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000113708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:44.291{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa4-0xb8efaf03) 10341000x8000000000000000113707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.276{D0132419-04D0-614B-1000-00000000FC01}3881876C:\Windows\system32\svchost.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.276{D0132419-04D0-614B-1000-00000000FC01}3881348C:\Windows\system32\svchost.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.276{D0132419-12F4-614B-8A02-00000000FC01}47803272C:\Windows\system32\conhost.exe{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.260{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04D0-614B-1400-00000000FC01}8645692C:\Windows\System32\svchost.exe{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04D0-614B-1400-00000000FC01}8645692C:\Windows\System32\svchost.exe{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000113701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDBSetValue2021-09-22 11:26:44.245{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKU\S-1-5-21-4212517941-3008131832-663396887-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeBinary Data 10341000x8000000000000000113700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04D0-614B-1400-00000000FC01}8641124C:\Windows\System32\svchost.exe{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04D0-614B-1400-00000000FC01}8641124C:\Windows\System32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.245{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520 154100x8000000000000000113692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:44.248{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe" C:\Users\Administrator\AppData\Roaming\WIN32\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000113691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:41.558{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095923Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:43.082{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000095922Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:42.035{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000095925Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:45.626{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF6D853D0BD9F7FEA8D4E46AF0CBCDE,SHA256=F2A938E854E84496771D25167C92FC4838A7BA46A1D18E3523F7CCF4D7637A7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12CE-614B-8502-00000000FC01}5580C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.823{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12CE-614B-8602-00000000FC01}5880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.291{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5A8C72FDD84BFCBB6D65DFD73D99291C,SHA256=93A48BAD5932E4C70534FB1660EFDED656BE0174954829D588281BADF667A1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.291{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=439EB01E813E6266D095017468F3C8E1,SHA256=FE850B588CCCA0C39A14F26013C4592F2EB3DA5AB9DCDEFF9153B496D287C82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.260{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9032BA190B5B14C496BAEF13CAC3588E,SHA256=76F3BE2A04B7B052E6520DA5171ECF56E4A76D75322BA8425461913AB79DF47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.260{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B419EFC846DDD6477F78C820C32D6386,SHA256=B00A0B80FC0BB02F2626002F46867359FF574DD7E5E768199B59EE4E01D8DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:45.182{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57844627F6406423B6FA3140EF841CB3,SHA256=2BC765442E52D0147972F3ABAC4B7323EA21DB5D1B925ABB72856C4FD0855488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095926Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:46.658{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D1B5CABE9468C8AA77BF8F6D7E6649,SHA256=EB03E56A1DB12181D5C23ECB48623FED8474DCF6789A62AA098718D2E67C2890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:43.761{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000113734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:46.198{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5773C900BD839A94AA834644B67461,SHA256=56538E4D5E02F4864AB4193C645A4E46349B959BC022E9ED3E7EA936ADFFB779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095927Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:47.658{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA3447644134D8153E662A79222F774,SHA256=6149CC1B6FD320906221E0B3B869642F11D01549A0362078B0DFF75DAE16543C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.432{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E385DC8D65F98716FBFBB28E686E35DC,SHA256=3E99FE50CD22CF870456D9FD481B77D0128EA4ADA8EBE7D2B3BBC2A76F2BB50F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.245{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.245{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.245{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.229{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.229{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.229{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:47.229{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000095928Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:48.658{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67F3BA189CE8F224C0EE0BF48735C24,SHA256=3479F7BDD1E832C761F7CDAD2A1E288235A24C478089DD682EC5E60E42B70BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:48.448{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63255D61CBA0C34CBF5AD428649DAD9A,SHA256=4A6A5CA9E97D39698B9FB30FA0C899B369F45B52B15B63033809A24A5FD551D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095929Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:49.689{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C44A0F03D1114AA7CC4BB754CE8115,SHA256=5EF3C2D307AAD5098DF1FC2E1E1EEE5C8309191FD4FEC553A9012DA6ECF2F584,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12F9-614B-8B02-00000000FC01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-12F9-614B-8B02-00000000FC01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12F9-614B-8B02-00000000FC01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.573{D0132419-12F9-614B-8B02-00000000FC01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:49.479{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23573FFE93D7F2CDF3EC720E8821C10C,SHA256=71BC1C5859DA400D0AD3084FECBC30E27F6E20C1A6C44714717146F9B7A78B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:46.636{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095931Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:50.720{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2457E008513B57969A06B2C3BBFB28A,SHA256=7872C21584DED8474BABB8E9730C254DEFD0C37F2CF3E8813F8FB35DDD62C935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.666{D0132419-12FA-614B-8C02-00000000FC01}49325304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.651{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF5E553398D8510C60A9F9785A6AEC41,SHA256=DBFB5E11157FCECB583F27E111F729BD72CC7BC7BEFCAEA8AF4A367CB3250FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.651{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9032BA190B5B14C496BAEF13CAC3588E,SHA256=76F3BE2A04B7B052E6520DA5171ECF56E4A76D75322BA8425461913AB79DF47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313574B66CB2B26BF102BD770BB26894,SHA256=B3E04AFDB74AB2CD58F1BA538E190BD34CA4E6039204EC38BA254F62684649E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12FA-614B-8C02-00000000FC01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-12FA-614B-8C02-00000000FC01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.479{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12FA-614B-8C02-00000000FC01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.480{D0132419-12FA-614B-8C02-00000000FC01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000095930Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:48.988{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095932Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:51.736{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9E995B665714A335426CB3AF546D7C,SHA256=79521E220114691DF6BCB4FB9E15AD40042CE30741E9067AA05D49A3964ABD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.510{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E51DC587BA1E76F90D2E3B79BCF072A,SHA256=16135864F4D7FDB395D191E057F88EB781B82C9EA87B881B832062EE9109EA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12FB-614B-8D02-00000000FC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12FB-614B-8D02-00000000FC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.151{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12FB-614B-8D02-00000000FC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:51.152{D0132419-12FB-614B-8D02-00000000FC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095933Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:52.736{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB34B2CC08379263B63CC0979AA2D33E,SHA256=DAAB9E0DF6BBECE52B92F55034BAA1C95BED93F3F3516EDE8688863A0D0D5414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:52.526{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C6AFFB6604173D8181E8BB253F5F51,SHA256=37D1BE7A5A30C94307F0C8DD6EE584EEF8F38D847ACBEE5291EAD710349F5E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.511{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000113777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:50.511{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000113776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:52.073{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF5E553398D8510C60A9F9785A6AEC41,SHA256=DBFB5E11157FCECB583F27E111F729BD72CC7BC7BEFCAEA8AF4A367CB3250FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095934Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:53.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699F29A17C26421C11C11A273C97BB9,SHA256=09C406200EF58BAFBE3265AEE94252A1CEC853D3663D846A94AED3260BC801F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.760{D0132419-12FD-614B-8E02-00000000FC01}20684828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-12FD-614B-8E02-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F05A2F7EF8236426B83A34817BAADBF,SHA256=FE1AFAE4B6FE0851CFFBD4D47917B859D60BD7167D1E1470D4072ACD65071B76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-12FD-614B-8E02-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-12FD-614B-8E02-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:53.573{D0132419-12FD-614B-8E02-00000000FC01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095947Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:54.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB81A5E6E1BB8D0317FF6A866D8BA43,SHA256=057132BA8D2570E4D1AC20CE119636ECF3042FA18603933296EBCDC318E8BCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:54.604{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915409E5BA82F6040D3869EAE8A31497,SHA256=00C4DD0A09606BE5F1F68DE26AE58DC8E26EEEB541E18CCAC6758349516B3CC1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000095946Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000095945Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000095944Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\AddressTypeDWORD (0x00000000) 13241300x800000000000000095943Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\LeaseTerminatesTimeDWORD (0x614b210e) 13241300x800000000000000095942Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\T2DWORD (0x614b1f4c) 13241300x800000000000000095941Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\T1DWORD (0x614b1a06) 13241300x800000000000000095940Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\LeaseObtainedTimeDWORD (0x614b12fe) 13241300x800000000000000095939Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\LeaseDWORD (0x00000e10) 13241300x800000000000000095938Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\DhcpServer10.0.1.1 13241300x800000000000000095937Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\DhcpSubnetMask255.255.255.0 13241300x800000000000000095936Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\DhcpIPAddress10.0.1.15 13241300x800000000000000095935Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:54.345{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{881f8b69-9828-40a2-bd6a-9e36c4676c60}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000113790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:54.588{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9289EABB32A58214200B8D9FBFA3FFF,SHA256=DD31AD5A1D431AECF7E7AECD34505014E904D95BA308542FDCDFD51C2251F4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095951Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:55.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F0ACF3B17544E8AFB08FCCD9F4C51E,SHA256=119A44370CC016B3B3740E4C3CDE03BF59B441976CBDECCDF6CE13DA29158201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:55.620{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2183DDB52FBBC6E63A0181E6E0F08391,SHA256=9DFCAA2F6DE8213BB60FFDA6EFACD8C0F1DC9D00CE1BB3FC6BD4DE431260CC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095950Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:54.207{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095949Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:55.345{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0AC63ED0C875DEC7CFDDED909550C09F,SHA256=E3313207D24788E87E3B4F4471B238E8DDFAC1B9D71A45C98D534FB1A06B9173,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000095948Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:26:55.330{601D2BAB-04EE-614B-1500-00000000FD01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa4-0xbf83cb12) 354300x8000000000000000113792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:52.605{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095955Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:56.751{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8409A429010A3F5F31E0529A324FD2F,SHA256=5967E7FA5696CD89D208643DBD121AFE9468380705ABA60DA2C7D16F86F3A3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:56.635{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48BDDBBFFA65012964E6A1A5D2287D5,SHA256=DC96EA412F1B6D04ACCA42C640C8CDB9011870216251F53926A1C1AD7FDFF1EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095954Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:54.309{601D2BAB-04EE-614B-1600-00000000FD01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:7f02:2dd:ffff-57961-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000095953Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:54.309{601D2BAB-04EE-614B-1600-00000000FD01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7ca6:4281:2cd4:bdcbwin-host-301.eu-central-1.compute.internal57961-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000095952Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:54.301{601D2BAB-04EE-614B-1100-00000000FD01}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000095956Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:57.752{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7227242ECD965AAA3612D60F1C6B12EE,SHA256=DE6F3DBE7F2D110F47F5462BBAAC0DEE466CDE0E739184443F2D96E1F8A1CB47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000113799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:57.651{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000113798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:57.651{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Config SourceDWORD (0x00000001) 13241300x8000000000000000113797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:26:57.651{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EAA03964-875C-43CF-AA1A-8F0426A0E9C6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EAA03964-875C-43CF-AA1A-8F0426A0E9C6.XML 23542300x8000000000000000113796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.636{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961DE6AC98EC3C285A173258603457BA,SHA256=BC2D51F8E7B9D07A02710EAAE2BE15098253948D9A58BD15A590A43D24D244C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:55.207{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15WIN-HOST-30158651- 23542300x800000000000000095957Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:58.752{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04276F24B9202845C9A3E46D61188874,SHA256=4D462771BD7835642AC9F3D42C81156A79F10E9D0771C142718AA078FCAAD364,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.148{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53251-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000113804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.148{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53251-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000113803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.124{D0132419-04CF-614B-0D00-00000000FC01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53250-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 354300x8000000000000000113802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.124{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53250-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 23542300x8000000000000000113801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:58.666{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A0A8ADF9B45EAE654091AB357B662C7,SHA256=A858C730FB7305E3F2805C1E6A6FD68ED2F52AE4378B9D20B5B5328F3D7B0042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:58.651{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39539A2DBB59453A252B76319690EDB0,SHA256=684E908D69837C83A9C4CE44EFCB826248CE06127EB3388B856CF31B8CBF33B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095958Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:26:59.752{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59149A3ED09BCA2465431B97172414A2,SHA256=031BB21932D773F9DACEE8FE55A4BCF26A4129C9382C9FB23FC9C9188B54F6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:59.666{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CE91F217A25DC25DF005998946B516,SHA256=B84C9856250D99F5E1AD01855299948A69A749C8939639243A34689E1AA5F189,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.159{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53252-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000113806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:57.159{D0132419-04DD-614B-2B00-00000000FC01}3000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53252-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 23542300x800000000000000095959Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:00.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3224C2EA9A893D89265BF01B730618C2,SHA256=CBC0EF156CEA96BAE5E9652E7357849211E925050EEDEC587038D34C64094E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:00.682{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712CB143590CC3379653F9A029467AAD,SHA256=85358C1B6DD888C935FBFCE2EB48B46DF5ECAFFE24DB54B5D32CFE8EF7405A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095961Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:01.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480067BF5AA81513FA31D4C9D9C0C70E,SHA256=4722EF4088214A24AE9F335FDFF95FFEC10F5D64606B8E33DF778D1089970315,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095960Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:00.005{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:01.698{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1963142CBDE7588F9CEBB8ACE8D712B6,SHA256=17C76A5F629A593D65AC612B2B5D358A93E91B6B2C4D061A60D9494C97A02C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:26:58.527{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000095962Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:02.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339889ED9BE94D777B8A6055FAC965A2,SHA256=3AE1694D1CB4D86895112FC970903CAEBCF2BC3661821EA9230E002AA77FB29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:02.713{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE78DA3572A6ACF1F946308306CA921,SHA256=9B0002388257B4436E7ED94E1A15C709C22203BBF1207ABBA480862C42AB5554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095963Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:03.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45510858D150049A9EE6091BBD132086,SHA256=F12607A4247D064C56197961723294F38E9040905435204AC6ACF602B9BDC0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:03.729{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6615DB5C1E722BEE07BC3F90356165EE,SHA256=48ED4EE7DCF7F71AB45FF1B48BFB1F55016682FC6C6FB740EB529450B52E9658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095964Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:04.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC819200BD3EC787518A5DE00896BC3,SHA256=84BD5DE5C783B8B5663E42B5EF3B4DD5BF3F6F8D504871C1D983026621802715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:04.729{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F1C4E949B37EEA46282C27CBBC2CB8,SHA256=EE1F20A148291284CD9379A813932AD7698670893C60CDE3CF00AC563383049D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:03.667{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:05.745{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D2BC00A1953E439291D1E8C700F250,SHA256=6AF4060EC3A954B6E0EDAFE7752F74BAF12D6A5A9788AB2951EE1752AAE95B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095978Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1309-614B-3B02-00000000FD01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095977Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095976Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095975Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095974Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095973Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095972Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095971Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095970Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095969Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095968Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1309-614B-3B02-00000000FD01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095967Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.872{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1309-614B-3B02-00000000FD01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095966Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.873{601D2BAB-1309-614B-3B02-00000000FD01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095965Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D547ACEE768EDEFB34DDBDCF67B4CF95,SHA256=93B1B90C0FC75C2440FC446FC5B3C4EE663EDDAD5A9310F217378BCCAD097206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095980Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:06.763{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256436A2D31CBCF2E062CF81CB5D5607,SHA256=8B082362318E26D105E37C6161C61FBC4852F51DBB530624F31DB98EF439E36F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.932{D0132419-130A-614B-9002-00000000FC01}51565180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:04.220{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53255-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000113836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:04.220{D0132419-04C7-614B-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53255-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local445microsoft-ds 10341000x8000000000000000113835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.854{D0132419-04CD-614B-0B00-00000000FC01}640684C:\Windows\system32\lsass.exe{D0132419-04C7-614B-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000113834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1895DE531BFFAF3C4082FFC7103AE4A0,SHA256=F10424D10EC60E053EBCB57C7ECC69B500C49FBBB9A75AB7006B0757A6B45A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-130A-614B-9002-00000000FC01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-130A-614B-9002-00000000FC01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.745{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-130A-614B-9002-00000000FC01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.746{D0132419-130A-614B-9002-00000000FC01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.463{D0132419-130A-614B-8F02-00000000FC01}50245468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-130A-614B-8F02-00000000FC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-130A-614B-8F02-00000000FC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-130A-614B-8F02-00000000FC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.245{D0132419-130A-614B-8F02-00000000FC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000095979Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:05.032{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000096009Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.809{601D2BAB-130B-614B-3D02-00000000FD01}28683472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.776{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5749E9D98A8BE58D7456309A013E4B97,SHA256=5BB838F0FF895F84453E81A2FB4C307507C875DA7D188EBD03115962ED37BD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096008Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-130B-614B-3D02-00000000FD01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096007Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096006Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096005Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096004Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096003Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096002Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096001Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096000Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095999Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095998Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-130B-614B-3D02-00000000FD01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095997Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-130B-614B-3D02-00000000FD01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095996Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.685{601D2BAB-130B-614B-3D02-00000000FD01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000095995Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.075{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01DC755C8F605863DB8BB064C55C257F,SHA256=60735937CAF0F5DD2D224A9F49DB4F05578AB9EB88D16D97AC7C30A0889D10C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095994Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.075{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1E9A7672C8C4ECAF5FD62D219F9792,SHA256=2FF665F9C16EE45C85B6DE0DED2ACC1A277FEA40931190551B8F1896F22E299B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000095993Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-130B-614B-3C02-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095992Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095991Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095990Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095989Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095988Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095987Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095986Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095985Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095984Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095983Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-130B-614B-3C02-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000095982Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.013{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-130B-614B-3C02-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000095981Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:07.014{601D2BAB-130B-614B-3C02-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000113848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-130B-614B-9102-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-130B-614B-9102-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.401{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-130B-614B-9102-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.402{D0132419-130B-614B-9102-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.260{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44058BE7B4BA27C61E1BC4191B535F33,SHA256=0485ADF13263A88BFC101BB9BA8763C0C41C077FD5645E6945F3EC51E4572E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:07.260{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D992B77CDD47DDF9A6102341203B74A6,SHA256=9FDE0FCD4FD37CF139A837E241DDC49D4F030A9DABDC43F888CDBDADE8A5AD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096012Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:08.856{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A835A6020F50112CB436D45E49F347,SHA256=C6B22F36C126F12A60B3058DDACF6A4494B905F0860A93E1B7A205002388FB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.249{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local53258-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000113857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.249{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53258-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000113856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.233{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53257-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000113855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.233{D0132419-04D0-614B-1000-00000000FC01}388C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53257-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local389ldap 354300x8000000000000000113854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.232{D0132419-04CF-614B-0D00-00000000FC01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53256-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 354300x8000000000000000113853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:06.232{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local53256-truefe80:0:0:0:b08d:bb0:abe3:5127win-dc-639.attackrange.local135epmap 23542300x8000000000000000113852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:08.791{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B97A06257ABD74FD9603046FA38A78F,SHA256=BAE003076EB464AF174BBC740A3A6AFC755ECBB49D32814D8836017EF3AA523B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096011Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:08.747{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01DC755C8F605863DB8BB064C55C257F,SHA256=60735937CAF0F5DD2D224A9F49DB4F05578AB9EB88D16D97AC7C30A0889D10C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096010Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:08.231{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EAD1D442FA267F2C4726E682DD89C4,SHA256=D6CCA6577D81AD4CE6436DA508DCE2A5D1F67D07B9B389D8557EF83D6F5A501F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:08.684{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-058MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:08.416{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44058BE7B4BA27C61E1BC4191B535F33,SHA256=0485ADF13263A88BFC101BB9BA8763C0C41C077FD5645E6945F3EC51E4572E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096027Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.872{601D2BAB-130D-614B-3E02-00000000FD01}9403476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096026Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.856{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928B8C1BB56E3F040FE1C9BA254AF782,SHA256=72559E80DD8D77EF7B48D41D93EF8A5502C4980AC1C0D2D4136959FA61EF772D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:09.806{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF13774C478710A56E825B01C9EF71A6,SHA256=D0FCEBC95F4564FE309D8C23662938CF06115B1BA6E27DC5BE8801C739939451,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096025Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-130D-614B-3E02-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096024Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096023Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096022Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096021Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096020Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096019Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096018Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096017Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096016Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096015Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-130D-614B-3E02-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096014Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.747{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-130D-614B-3E02-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096013Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:09.748{601D2BAB-130D-614B-3E02-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:09.699{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096043Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.872{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB21A90FA7660926A88C8DF24D2DCBD2,SHA256=AC11B768AFE480DB458C0C0D55854D4E8EDD4C5847360B172888FFB7C4F21331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:10.811{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC59C416F508DCCA182CC0307A172E1,SHA256=1905DC200BF37849E097ED1225A5FE6407FA58D9FD75D3EB86C8A6B1914C6590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096042Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.747{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB57528D66A2985D4DD1C8965242B81,SHA256=98426FE24CCB146D1C3C91DB2A3B8DBC8170E35E44F4DE3F77F3CDA21EB8FD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096041Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.545{601D2BAB-130E-614B-3F02-00000000FD01}30964056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096040Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-130E-614B-3F02-00000000FD01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096039Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096038Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096037Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096036Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096035Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096034Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096033Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096032Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096031Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096030Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-130E-614B-3F02-00000000FD01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096029Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-130E-614B-3F02-00000000FD01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096028Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.419{601D2BAB-130E-614B-3F02-00000000FD01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096059Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.872{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB5386FD00858CA1F131AC4771B46F0,SHA256=492C333CB9E4D4ADEFBCA4070CAC2E52238E752DF13FB971386040FE420A8E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:11.842{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD7382070DD15740479D1AEA71B5405,SHA256=0F7C2DB52229FBE282A9EF032A92590C9F7D6862C44D1DB6177AB845292F83DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096058Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:10.157{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000096057Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.215{601D2BAB-130F-614B-4002-00000000FD01}16041168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096056Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-130F-614B-4002-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096055Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096054Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096053Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096052Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096051Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096050Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096049Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096048Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096047Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096046Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-130F-614B-4002-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096045Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-130F-614B-4002-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096044Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:11.091{601D2BAB-130F-614B-4002-00000000FD01}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000096074Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1310-614B-4102-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096073Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096072Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096071Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096070Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096069Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096068Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096067Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096066Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096065Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096064Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1310-614B-4102-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096063Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.950{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1310-614B-4102-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096062Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.951{601D2BAB-1310-614B-4102-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096061Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.903{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D3E20DFBD8192DF81DFE9177938C75,SHA256=8815F4D9E27A56A4E5B60A12B81EC5868AD214AB84E9C2BADD7756E21FD7646E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:12.858{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767B373C02CBFAF816433B0AFE692D9,SHA256=C9F16BBE4CD2D18C302204B066B53EA86E54042F16DE3E01327E3963D257D545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096060Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:12.309{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633E144E246425DC645E3871DD8760C8,SHA256=AE600A5056B7739F0F7DE348A43F4CF27E15045F70FD5C867F284B66BA2C0A7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:09.556{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096075Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:13.903{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE719FD17D4E25E7A925C5835FF22A3A,SHA256=6140C5CE2D2586FBBBD2776D4F6E0443112057EBB2E06BDEA2D5E2802E68D95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:13.858{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1FF7D06648592D77485FE0B937EC14,SHA256=07A909416480A4BEC244A68E34DBD38CAA70C9823F3D618251C7E4E11D4CE51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096077Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:14.934{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51A135748E1BB8EFA6D8B92E98D8081,SHA256=3B7EF241856290E5030176D973BCF35C9E782FE4864D807C7502906851E6E973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:14.873{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CEDDA5ED980A16BCDA266C1337E3F6,SHA256=C2005B60B497B577158D04100087CF8C4659F58E3B8007CF8C42B5E5D022D5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096076Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:14.168{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91C48956FDCB8B0430006992C63222C,SHA256=7821A2D970EC7EB6E73FC6DA09AD9931E2DC97B968E2AFD2659745894EC8A0EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:15.905{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F10CD86787C3A64988CF169533D657F,SHA256=98282CC399FBE59A9B0FCC642C3195F56DA3CD4C8B111FED3923D16F5A058A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096078Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:15.981{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF27340507D4216B6CD550135364CCB3,SHA256=533C37CF861A7CF5A6B46A1150937B36F630DA647850FA350B75EB226C679C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:15.686{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=9B8A22B92138CF911F2A5CE471C02655,SHA256=84B0331F607B2C01336BC38278AC655B07C379E3239F6A6ADC5C2B5797EB9258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:15.686{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=B838E4BB9FA9F1CDEEB320BFB0AA5537,SHA256=CC6ECA189356433DB7BD350502C2637CBB37CC1D43DD103BA1DB83A27AA5A67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:15.686{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=92B33DBC9F6DA59404E27995BE2AC16C,SHA256=1514C712E1757E34D413CF0AED5289AB5EF159FF33D2B3AACFAD84141C596535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096079Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:16.981{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D965A168BA04426C8ABF317932CB82F9,SHA256=EA3F19FC79B61B6F470B63880E37D246BDFF32DD18F3F33921E43B1ABAC80B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:16.920{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06ECBB11A8E58F1127FE62ADFD121D2,SHA256=8700DCFF47F25D13A60D0D01BA93482070EC96607C4CE8672280552ADF674E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096081Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:17.996{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B07B8BF1F03AEF336B01F2E3A0322A,SHA256=D5103B82F99E6315F78B7BCEE09164730AA67845BBF1C1A4BDD761799A14EC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:17.920{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367F2838201BD9212D381030692E4BA5,SHA256=81D9BC5FD25C218EB7C784492C2F5D08CB619C083F05FC11DA938AA4B7C681FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096080Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:16.017{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:17.748{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:17.748{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:17.748{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:17.748{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2700-00000000FC01}2804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000113872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:14.733{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096082Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:18.996{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0537A69AFF1F73E47587DAC080A4B803,SHA256=9F4C808214E908B255843D0696AF8A95F514CAEF303C158BD28098BC1238E33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096083Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:19.996{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5A62AE48BEFB60B4259608C14E231E,SHA256=0FCC57B741918168E5C6C0619E28DFDB3F2A7AE59EE35498CC9942420D2B5689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:19.061{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B379EDD6ADD4B98C19E047737130AFB9,SHA256=D3F69EA959CF958456CE8775BD7897BAC9D2354A754AECA4A12532CD8510B322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:20.076{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F98A96B04260B89D781700E8FCC3F30,SHA256=8F00F355FCDB71F70F53F25C33645E4FFAB4CA0171F84A07B124C3CEAEFFE827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:21.076{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5D7C737A0F66554621F4B056766DF4,SHA256=C75A324E2072B8F3DCCCC3215B185953FAD8EB4A1C61510E281B40A4BDEB0DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096084Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:21.039{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF6CBF80E3A29D0667EA04D7FA8CE81,SHA256=0FB0A205E4CB83F64BED2F33790963C5FD63B03438E8AC1DDB00E9591739DC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096085Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:22.055{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4144A54E8CA0FEE7C254C920B8E18A89,SHA256=39F0C9FEE201F9BF5EDE811B0CAA8B73727CCEB18403EBDBC88F0F62AF62968D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:22.248{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD1EEB5884B5FDEE9E367D30231ADEE,SHA256=DA9E5CE57EDBD8C04805B409F30C621A880D37FAF2E20F42AB123E4E6620A9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:22.248{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF46A3DAA824B2F58ABC0F3FAD5108CC,SHA256=6B3BE9E4F9D8406E9ACA2770ABDA3F232CAE564DC1AB6DFF08B6A2CB58742A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:22.108{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4BD68BB4745D6B0109EFCB9F99F59C,SHA256=1E3A31FEB9F6F52673B0148A3FDD47D9B747D113E9DC7B1E7E10CC1D05F09E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096087Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:23.102{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD77B3DC3D0BFACA8B645D1F2014537,SHA256=7FD0CC5A3774BEC35EB7F41A9FE45FC33F34E28A18F52F562CF196B13862F143,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096086Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:21.060{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000113892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.873{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.873{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.873{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.858{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.858{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-131B-614B-9202-00000000FC01}5176C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.858{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-131B-614B-9202-00000000FC01}5176C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000113886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.813{D0132419-131B-614B-9202-00000000FC01}5176C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000113885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:20.733{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:23.139{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6014C25C4DDFED42D0AC905F5526FA,SHA256=92E4EED5553F6C2245FAC9DEF37248207790389A411BFE78C749BF55B8397B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.811{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD1EEB5884B5FDEE9E367D30231ADEE,SHA256=DA9E5CE57EDBD8C04805B409F30C621A880D37FAF2E20F42AB123E4E6620A9BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.451{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.451{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.451{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.326{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.326{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.326{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.326{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:24.217{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDCE92AABC0E72ECFA006D35077DB5A,SHA256=06D3D63C6D5158C99DDA96AB12AD2ADFBFF95AB37A8FC746D1DE6AC787343F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096088Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:24.133{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80895F3FE6AD8B1843A927F87AE99469,SHA256=F456C2EBD6930ED7B17FB310915B320C86B47F6B282E52B02DD54E19288C3BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:25.248{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14705DF0CAD905A423C8B733C4A0E00D,SHA256=0D19D22D8DF414A27FB2180E6D3AE046A2AFC7C52A0071986E8B49F6075E65F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096089Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:25.133{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B82093B64B86F1D21E6FF28E19AD33,SHA256=CB59251FF225102C11C34064037DE9502C61C13AAFAACBE4BD6BC7E396CEB1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:25.108{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B1BB1C0BD4A578FFA7200E81D7519DF6,SHA256=CD87E25435704870B5818D3677396658984972FE8AFFA97294DE1F65CFED6F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:26.280{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256DEF800E001CD9E7344884EB9D4BDA,SHA256=466D5172934BC8AADBF9D4A0D15EDB8FB71C621BE1B6C3B9E5BE79F124F006AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096091Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:26.213{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-058MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096090Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:26.133{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3AE80FFAC9E0E16A06047ACB310AEE,SHA256=15FB6904A03361FD95072FAB98CCF3ED9645008EF5A18D4092E5D19D6712A24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:27.311{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08259CE367632783B82A23907BD75E6,SHA256=F3EF73BF629C4D1D762D2B9541B20BCDADE02FF1E06D15100E4B415173F9E8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096093Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:27.225{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096092Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:27.163{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BB097C3A2B3BBBC7EC664CEA28C2B3,SHA256=454C970BDD80B8207199DE9F45D1B4F45A6BABB5D690D17487D158064CE59EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:26.624{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:28.311{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB8A883FCE3EE960A4761FA6B8DA28F,SHA256=9810086FD0A670DC18119DE6EA2A53F6FD45B2ED7C60CDFF29B6178354C909C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096095Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:28.255{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A479FB520E5F023BA8A067EC5F8C82,SHA256=B20E048852E601608CC2EF20F0F4534B7AFFC90563B0FCE1BDA4BF08CF04F9A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096094Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:26.200{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:29.483{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDD4733B6FB8D5312C947FE46F97FF0,SHA256=8EAC6FC803DC72D41464AB57C2362BA7EEA9F1BA552DDFFAE1CE40EF733ECC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096096Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:29.271{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8529823F36FB64C7253CC18B9779291,SHA256=73D17653BC792656232C1C0CE0494DEB0032AE42DE9D24DEBC543944ECD2C4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:30.498{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3360E6FCC7F12D122C4A38A72EFA60A9,SHA256=5466BE7B74FD6AA89B908FCCB28F0869D335C6CFF6A58A41B2DDC334E25CF970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096097Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:30.271{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D71539C38E2ED2E98A86BB7139AA41E,SHA256=DAA95CD9234DB6030E8D9F75D238726868DE11CBE0637E8300382BE2A96EBB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:31.561{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6D3AF73632A9FDCA053A3F6FDC46C9,SHA256=9575253FB58AAB0567292EF934964ABCF3A2C421370E0E2EAD9C08C12AB35A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096098Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:31.271{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F03CEC81269C2C554C3F9D84B85116,SHA256=60F76A473D74DF88687407C2E65BAAF016245A6B88ED32C88DE99C606EE65A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:32.592{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13372F6674E8F26FDA129D648206997,SHA256=B6D6ADFE4E49432B778D12AB73F5851934D00EAD296703506AA6FEF1AFC963B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096102Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:32.270{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FA3CEA2D9062E795ED234027A77C40,SHA256=DF59F1E910A37065044F02421C0BD8AEA0D3330A75ECC5F32EFB10402014A30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096101Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:32.255{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=A90E492C12532950B8B8856603254D9D,SHA256=ED497891FD2E6CFF53990EDBF3ECC71EA7E6198B287F1FE7F96FFBBE3097FA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096100Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:32.255{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=2BCD81257BFEDBE197D161800D33ADAB,SHA256=B3A357E4BF0413F5B3FEF26C0E8C53CD511AD6EC5A12B2B1CBC6979251E524BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096099Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:32.255{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=2CF9FAA452940DEBDDE50F12B56D5FAE,SHA256=C54845484E574BC2C8F7A7737951F9AFF43E928F6C80F703A760B619C2C8DC3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:31.717{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:33.608{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F57925F4880A933B1035169A6D37BB,SHA256=382A9FE3102AC6C556BDCB330C8753B01946B69E2107A2F7CA87D45776FE6768,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096104Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:32.073{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096103Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:33.270{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC63241C5578650F1BE75E13BED44F80,SHA256=65CCF9D47AC5ECDD8C78B2279FD7DB61441802BE1B2DBC531DC033CF125225EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:34.623{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0279E13E32FB36457049A83287771B,SHA256=C01F696D179E58D7516591E6BEFBB7A347402DD9BA3589666BB3E6E1544DD4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096105Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:34.286{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9655870091A2BDC5653D3D2056DB6854,SHA256=9F1A8627AF7DC1AE4B17EBA5EAF5E1056B03C79A29C3F718575BB77A70D06D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:35.639{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A1A1273DE81CE2207F065FC03F1C56,SHA256=AD09C10B7273E5A1CD921B6DE4F15DA6935FCA3FE0D82461319F02C43185E124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096106Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:35.302{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87252BC3118C8E6CD02B501846B35713,SHA256=8554BA68A912D34687958C747DD34BA3B7705A10A8E7A77A89B79CC83DE898B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:36.655{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FD1868C77D4B00E8B85EFADCA9C66,SHA256=ADE0FF32B35544D72E3C2034DB5F13376FF386C57978736FA640FFBF17BE61B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096107Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:36.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE74F2D828516FAD967FFB3DA59EAF6,SHA256=93FD622683B05EE2FD2555660E8572EB24B9F9F41FF599B0A25B83CCE0246102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:37.670{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B00FD688B068C59954DBF65A40DF2B,SHA256=FB0756397911C92A44B68E06B6B063ACBA4BBB3A2561F28553C0691C631FE01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096108Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:37.348{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C618F16323B54F720EEB592EC75F41,SHA256=AF2C24210A85DBD57903B18A89D30D2011F4E0F5FEDBCC16C3086322ED7E1732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:37.108{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:38.686{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9634B41D7E425812286C7EBEC729E91B,SHA256=574B64BF427A56B733A5DCC5109E413760BBAA8C156A7859FB4D35465A57782F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096109Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:38.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56DF39E1227853352DEC2E355BA9BA3,SHA256=68FC7C25790E293EBE048D2ED6C35DC64AC049A6677EB30E3FB85D85A950950F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:39.717{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3B3C2B46AF8FCB722E97714667BC2,SHA256=001288C32D5F6A1CCB58C9AF6859D4B49FA7EE4CD956CA63A2CF6F56EF6650DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096110Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:39.379{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7757E761E4E5140B0312F5332CB6947,SHA256=A6EEF28E7C37F3FC62479DE9D4E1BB311E3AD8E3ABC9393F2BD7EEFE27E410DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:36.577{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000113924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:40.904{D0132419-0AE6-614B-7101-00000000FC01}4912ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=5C2032D6CB396248F1BBFB5A28123C1B,SHA256=4B79AD9CA5399BD6A066F5171214D9FD6812D9BBA6B14EC74BFC639B717F315A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:40.748{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B135C1F8F7679C3FE2B6A19B2C0A2FC,SHA256=AC26FCFAABB24ED45A7AFD16F320D7DA5D5B78408CCC05AAA3165EF8C0406517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096112Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:38.026{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096111Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:40.449{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11613C729A03699914732C2B8D0534CA,SHA256=748150034312064C8C78F3AA6A7CC29E18F67D5088102625C83F1971EA857FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:37.561{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:41.779{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80D0D30E721760B74B5A94536CE7322,SHA256=DD0E2D6C9FF84A6BD96DCEE7F7E05C2F47680E19C836478BBD47E4A32F60C0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096113Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:41.464{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918761D1AC9E7C3B9868038925DC53C8,SHA256=4610C70AC52FF67F4D3C1A076AAB6C040A40045C02CF35EA0BA7A3FE128533EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096115Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:42.495{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED912BED91F67FAC6476AA8E8648D89E,SHA256=4C1D4520EF586F7BD994671EA9D6C785A722E6A58F1FC97869BE29000B6658D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:42.795{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AEA65540FCB53A03930A1832DB29CE,SHA256=35004FF1A8F7E3CAF8F0AE049255C4C4FAC6692966CD33A2D2C57F9A243D7FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096114Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:42.120{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.795{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F62DC086825590503C94FD0F8743F5,SHA256=A445B9B87AA7BFCDA17E21AB62E6D6973C3B7466CB77C608F0A1C726A5F26F56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096117Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:42.065{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000096116Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:43.495{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F334BEF284F613A5095ECE2E0CDB19E8,SHA256=085D0DCB569899A3A21CB8ED7C87DBE72CD6DAA208346528445BB25C3833E0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.265{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8349E72B34E874AEE5F4D3A638C381B,SHA256=4F2E1596273D05FABEDBB6C34A7CDAC80267753FD07A8E0FD7CE383E1EC5B3A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.265{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000113973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.265{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000113972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.248{D0132419-0A66-614B-5001-00000000FC01}41925252C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.248{D0132419-0A66-614B-5001-00000000FC01}41925252C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.233{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5879220DC98B2F830CBC7695E74C1906,SHA256=25C49D208C54286A873C5990CED1BE77519FE8D89355CE0B9903D2C791BDFCA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.233{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000113968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.233{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000113967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.233{D0132419-0A65-614B-4601-00000000FC01}7122296C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000113966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.233{D0132419-0A65-614B-4601-00000000FC01}7122296C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000113965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.202{D0132419-0A66-614B-5001-00000000FC01}4192944C:\Windows\Explorer.EXE{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.202{D0132419-0A66-614B-5001-00000000FC01}4192944C:\Windows\Explorer.EXE{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.202{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000113962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.202{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000113961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.186{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-0A66-614B-5001-00000000FC01}41924408C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0D00-00000000FC01}9084272C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000113940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000113939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000113938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.170{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.154{D0132419-04D0-614B-1000-00000000FC01}3881876C:\Windows\system32\svchost.exe{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.154{D0132419-04D0-614B-1000-00000000FC01}3881348C:\Windows\system32\svchost.exe{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000113928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.139{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000113927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:43.143{D0132419-132F-614B-9302-00000000FC01}6052C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{D0132419-04CF-614B-0C00-00000000FC01}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000113996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.795{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47486CB83FA92149EDE5E5E10A3B5572,SHA256=8133A4F4B46E57380D45E89A80425F8E19FB578F0AC992DC060DD7B4F0B24FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096118Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:44.511{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEA7A9B56D3F5F28872FD0D21673602,SHA256=4BE4B1C5B7B2561EACDC11F75662271907472AE15B2B3DF85BE0B4CD7D3E2CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.623{D0132419-0AE6-614B-7101-00000000FC01}4912ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-22_112740MD5=5FA686A1E64AD3B6C10E816947F7225A,SHA256=DFD9048F268B279CD5F2093DC4EC3AFC8DF8A0D8CEB8ABCE7BD06ED2AEF80389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.623{D0132419-0AE6-614B-7101-00000000FC01}4912ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.186{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000113992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.186{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000113991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.170{D0132419-0A66-614B-5001-00000000FC01}41925776C:\Windows\Explorer.EXE{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.170{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.170{D0132419-0A66-614B-5001-00000000FC01}41925776C:\Windows\Explorer.EXE{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.170{D0132419-0A66-614B-5001-00000000FC01}41925760C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.170{D0132419-0A66-614B-5001-00000000FC01}41925760C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000113979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.154{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0AE6-614B-7101-00000000FC01}4912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000113978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.139{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FAB4C63D056DB6851EBD955FA9AE98,SHA256=2DCC4F40E1E1D972A765999E23F43401544D670FA19A1182E67EDCCD43F720FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:44.139{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EC586D7F06C7D16F3DD4338D9428A49,SHA256=E04A4A3BC87A30FD17D632DE7A1A8CE5D7E9255B681F3A1BBF042EBE3110361C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:45.873{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A56820592B1C294C75EF13C536F95C2,SHA256=9E0A7CF7F5C50603B3D440F734373C06C5EA7A9575C06EB94B027947FCDE3FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096119Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:45.511{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278937AD45C62D3973C9ABF4A83A7674,SHA256=C3F44544F5E5A03CD70F2BAE7F93B5184688F83B92C7E91C8D40A743A08B67B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:42.639{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000113999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:46.889{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F565A578AFC005F51B1487E77E71EA06,SHA256=7C6F71AD72450F7FC5B93CF13379E0CDBCD5D6463E3C875CD891E1CA52A69CA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096121Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:44.049{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096120Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:46.542{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095FC20E8A04D085533CF986F987A1AF,SHA256=9E3161AFEE09DE0CF325ABB0B36434E5ED78B5C61993A9B5FF5D3F9AEB3C3479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:47.936{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EEBCF65CDF96A98E89CCA483865CA0,SHA256=6AF315993FEBF9CAA20CF2EC2856F3BDCA8106F59F2A1630C54E589D38CA2966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096122Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:47.589{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A9C897D082DAA7ECE10752CB05BD80,SHA256=A744EDB39E95E68719234867E8A8F880FAFF41689D876849E4D692A43D194BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.951{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E4B587388B36BA9CD756CE88CD3A4C,SHA256=B321BD11CDA029247BE33F2BA7189E1A40D69F3613E8AC43988D5105989D08B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096123Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:48.604{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A6F9BB54BBBF07C527A5E89245E90B,SHA256=430F1C066DF06B60CCA121C681C6124B330DD0D6C20588808FFA8F1FBF17D595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.748{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.748{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.748{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.748{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000096124Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:49.620{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DAA3461ABCC0448C85B5121E2A343B,SHA256=99D02C37DF1C4E0CB05F293FE73BD3D0A16ACD89955EA4676F3E282747D90F1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.764{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.764{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.764{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.748{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.748{D0132419-0A65-614B-4901-00000000FC01}22881204C:\Windows\system32\taskhostw.exe{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924048C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924048C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924048C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924048C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.733{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.701{D0132419-04D0-614B-1000-00000000FC01}3881876C:\Windows\system32\svchost.exe{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.701{D0132419-04D0-614B-1000-00000000FC01}3881348C:\Windows\system32\svchost.exe{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.701{D0132419-1335-614B-9602-00000000FC01}34402536C:\Windows\system32\conhost.exe{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.686{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000114023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.690{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000114022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-04CF-614B-0C00-00000000FC01}8486036C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.514{D0132419-0A65-614B-4701-00000000FC01}9766092C:\Windows\system32\sihost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1335-614B-9402-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1335-614B-9402-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1335-614B-9402-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.453{D0132419-1335-614B-9402-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000114008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:49.451{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000096125Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:50.651{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24C6A8E42086FB80339AEF661E1E424,SHA256=923E1C552367C27D7ED51FEB61125542B7528653D2E10D839468773FB17E030F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1336-614B-9802-00000000FC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1336-614B-9802-00000000FC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.983{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1336-614B-9802-00000000FC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.984{D0132419-1336-614B-9802-00000000FC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB18D8E8936AFFAA2C89DB83C444F217,SHA256=540C8EF38619B1128032DE2B8A06EE60867F46832039362CFD107D5F2F35EA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FAB4C63D056DB6851EBD955FA9AE98,SHA256=2DCC4F40E1E1D972A765999E23F43401544D670FA19A1182E67EDCCD43F720FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1336-614B-9702-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1336-614B-9702-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1336-614B-9702-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.483{D0132419-1336-614B-9702-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000114048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:48.576{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.076{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31953B0904F355135BEDB93B55244C3,SHA256=4034B128F3B8E96A1D22A0F1488E584D6245199F4DCD7EDDCCFB6A7A2884C3B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096127Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:49.174{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096126Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:51.651{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3572077D55144F473006F2826BD34BC6,SHA256=280EB1FCAE78E8E328E16E8BADB84C339B363A434C66F313A98BE2100054A713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:51.498{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB18D8E8936AFFAA2C89DB83C444F217,SHA256=540C8EF38619B1128032DE2B8A06EE60867F46832039362CFD107D5F2F35EA74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:51.139{D0132419-1336-614B-9802-00000000FC01}1723840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:51.092{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4044FFDBF952A2FFF2AF6FE8248A695,SHA256=D877E5EE8F4ACCE4BD190DA7E7687B37A8195F5CDBAE35E8C3C6C806055B2016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096128Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:52.698{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC879F588692FB4E3EF7D6EFEB0E5CC,SHA256=E63BB40F1CBBCF2F24CC3AA49E89BF23B9BA9D45F756CB122704A23C2524426F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.514{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53268-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000114071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:50.514{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53268-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000114070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:52.108{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BBD35CD6AB0FE555FFE392BCDFCFF5,SHA256=E4FE9A87C724BB4CD8ED04987139ABB88DAB500880378F0F7ACD95BC12C59131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096129Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:53.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2008B67DC38A78C5CC2753D5D175F7A0,SHA256=E10E4C25F701DE0A1E402A169113D31E9D2E7C6D54416F2BF915380F512A73F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.764{D0132419-1339-614B-9902-00000000FC01}42484224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1339-614B-9902-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1339-614B-9902-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.576{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1339-614B-9902-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.577{D0132419-1339-614B-9902-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.123{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E650FFC8F957041DDE2A3B63CD3E49E0,SHA256=3530676D130D746ECAD1FFA9BEF1FED9580DA1122D8FDE329B9565A8A13DE079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096130Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:54.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6957DC03A27604F347DD0D22D01C34D9,SHA256=6752EA46774AE8221703AAF7233AA81EA0FD046845E317BD380F597D9FCB4783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:54.592{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=901D30591F1314514FAC2E228046222C,SHA256=540D30E8CFE07BB7147DF708D39EA88BE0CCF8872FB6C6BA976BBF09ACB9C472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:54.139{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1D195EE1DC8C43828F12562EC73199,SHA256=957664BCF983D5B1C6B59F086ABBD2AF95488325DB1E3BC3A0791E3474AA93D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096132Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:55.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352742C6345917EFD40510EDCBF27AC3,SHA256=0CF015AE72D9F87A44050EFF7CCD258A3984C51A8B6514E950C46C8985B809E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:53.670{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:55.170{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EDAA817D79224B3E2D5CB2435BE34E,SHA256=A424E1FB874A3B2DE30F89857DB7BB98E2E3E2E628791CDAA738A2B73808924C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096131Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:55.354{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=10809FA2615544964B8BBBC9DFA6861C,SHA256=7D608E2D3D7B13310DCC3D18E70E90375446374523DFBDB3CA96F0A35A595AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096134Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:55.049{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096133Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:56.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C2ECA57467D39721CE779A11E90039,SHA256=1C11DA4014626C232CC7399ED78F89FE5EB1D718F30A6CEDE47E4E7921447BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:56.186{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD562C817EE7BC8D7ADCD679EFBA2B2,SHA256=7B567B3F052492DBED1528D51765032C7E502BCD61117434A2EA98A88AB8800C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096135Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:57.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E7C14650865D6C0B45D62B48FA7F8,SHA256=369FA3BDAC486C09E7FECB170B8954117059AE3B7B5329871CE65215AB88B8B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.936{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000114097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.936{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000114096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.670{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000114095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.654{D0132419-0A66-614B-5001-00000000FC01}41923872C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000114094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.608{D0132419-04D0-614B-1000-00000000FC01}3881876C:\Windows\system32\svchost.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.608{D0132419-04D0-614B-1000-00000000FC01}3881348C:\Windows\system32\svchost.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.592{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.576{D0132419-0A63-614B-3F01-00000000FC01}30761764C:\Windows\system32\csrss.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.576{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.576{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-133D-614B-9A02-00000000FC01}4960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:57.233{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09E87A24C7AABF8DB41576979381E2E,SHA256=07C4E03ED65A64660F49F8DCFF670D9276FD2BDA3DE867B6D6E7FD17497990D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096136Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:58.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A18647A2EB1BA5FE0681847480923F,SHA256=66FDBE97E38F5B46FEE886A0BEC34C8266F92C2425D3069F4EE24B40B21D09B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.623{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CCBC314B48AE886D8A48FD2A839836,SHA256=95C9707F473B7E4D4AC6FE5F60D59EE472ED01AB295B2E557CA7B89B7F2FD778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.311{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-1335-614B-9602-00000000FC01}3440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:58.295{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4B85B2C1290A97DE3900C57E70BBC3,SHA256=DB70279310CF63D68FF3208EF46ECBAB7DB4415CFD9557C04259CB6EFA2BE5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096137Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:27:59.822{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5567A9A48EA655D0C208244215668515,SHA256=6E7F5AE4A4A8C171BD0F7C92655078F7FA423721F28C120504F88317D495A4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.326{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057B804930AC9E831D98E5AE762ED9F2,SHA256=FEE45E54A669A62A517FC9D494D50CE51D01225E1BD34ED73EB7B02D5E813C9A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000114128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=DFD9048F268B279CD5F2093DC4EC3AFC8DF8A0D8CEB8ABCE7BD06ED2AEF80389 13241300x8000000000000000114127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000114126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local2021-09-22 11:27:59.311C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=DFD9048F268B279CD5F2093DC4EC3AFC8DF8A0D8CEB8ABCE7BD06ED2AEF80389 13241300x8000000000000000114125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000114124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000114123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000114122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000114121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000114120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-DeleteValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000114119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-DeleteValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000114118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-DeleteValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000114117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-DeleteValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000114116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-DeleteValue2021-09-22 11:27:59.311{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000114115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-1335-614B-9602-00000000FC01}34402536C:\Windows\system32\conhost.exe{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-0A63-614B-3F01-00000000FC01}30763140C:\Windows\system32\csrss.exe{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.201{D0132419-1335-614B-9502-00000000FC01}46884240C:\Windows\system32\cmd.exe{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.172{D0132419-133F-614B-9B02-00000000FC01}5316C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{D0132419-0A65-614B-76B4-0E0000000000}0xeb4762HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{D0132419-1335-614B-9502-00000000FC01}4688C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000096138Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:00.831{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C76621EF650C7BCF7D6E80967D41874,SHA256=6F195059269062AC5EFE9DA98C9294F8F9B5227A3049C928C9968306AA2FD7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:00.326{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F00EAE7C38F33E06151D065BA13C95,SHA256=0EC42E639F2A7EA4FFDC071E74DE9DF80DF9CA7DC77FEC148E480FA9E76F6E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:00.186{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20251430FC32369467A9890E701E611D,SHA256=9B159A61EEDD47441D1EE730C1DBDD5A88A69A4D8392FE945C4A4786C1CA98E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096139Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:01.831{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150620498C9BB7B4571DB574298404A,SHA256=AAD01A66BABEC75A4AF6807FC2F99668B2DAC4EFBE970ACEA8CCAE39D0ABF4BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:27:59.670{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000114139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.514{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.514{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.514{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.514{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:01.342{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82027844757C187D0F1D89E66B474EA,SHA256=7532BB5C8EC1DC8F11E9997D9A90C3D43931E3C293C89B1BB4D07E2C21840447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096141Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:02.862{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A004D0400CD9AA209EE7FFB77AD6E3,SHA256=194561CEEA69BDD1950E6885EFF33A42880B08F8D6D528CBE6AE64AD12C52127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:02.373{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41221549256E14948823AE75BE7949E7,SHA256=DF2F190EAC3F2BC464307AF25F573A5D96B8C1D0542D92CBDAB56C7E55B7BE2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096140Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:00.104{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096142Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:03.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEEE32F0127CA08358285F4F211686A,SHA256=98D9AB53374A2AB2567AA0D9D42528D6B99FD57C5DC317193BFB40D5D23CB19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:03.404{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B7E19609B753124C07E97C2DD47893,SHA256=E9318943FCE8BA6158A7A9EC4C91D297C13317AD9FF4A90CAB70E02146799ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096143Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:04.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC100F74805F75A21E863E28FEAB0590,SHA256=28FB488A59A35F0234CC82D5C724EDB7E9D25157505FDA7DE60D49F398D05B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04CF-614B-0D00-00000000FC01}908928C:\Windows\system32\svchost.exe{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.436{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D6F03C6E4D5D7071AD7079AF45E5E7,SHA256=81F9A34C6879F14C44FD7F89F09BCC31EDA37A4CB3DD0588BA5DD0DDB1F62CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096157Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729CBC1A5FFB5391C47F23C0F8E87BE1,SHA256=7B2103ACD9110981459E399FB4F3B8E2E83AD90F34CCE9BF98AB594427A290EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:05.701{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA3B035D84820A4AAE4BEDFDCBCCE88,SHA256=7EE831C442689DAF2A1DDDA8D95CA76B7FF9465079564A5C65194D837019E3F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096156Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1345-614B-4202-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096155Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096154Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096153Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096152Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096151Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096150Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096149Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096148Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096147Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096146Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1345-614B-4202-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096145Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.878{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1345-614B-4202-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096144Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.879{601D2BAB-1345-614B-4202-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096160Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:06.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A8CA78F292E737A4C84BC1BE358002E,SHA256=52CE346970D4FC74054794D1FE278FE5BB631BB3E1D80741A1CC56D44E0BFAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096159Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:06.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3EC3D04D2352EAD5261E4A1730F7C35,SHA256=E88713D46A11738D437846ECD61915A74C988FE2FAC9C0AE9811D038A13740CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096158Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:06.909{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514016ECFBFD4EF86E32F6E9C30B908F,SHA256=BADCBE853C529219434BAC5ECBC3E3332107BFB32FBD7FB415A33433E8A7C8B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.670{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000114205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.412{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local50062- 354300x8000000000000000114204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.411{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local49331- 354300x8000000000000000114203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:04.410{D0132419-04DD-614B-2A00-00000000FC01}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60133- 10341000x8000000000000000114202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1346-614B-9D02-00000000FC01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1346-614B-9D02-00000000FC01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.764{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1346-614B-9D02-00000000FC01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.765{D0132419-1346-614B-9D02-00000000FC01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.733{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5C576D08BEEC5A826FABB7E7E3BE37,SHA256=41F63D79C32A0A5E5469562F748369D48FC5A570B5FE5D0C368F4C4A55F85C25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.483{D0132419-1346-614B-9C02-00000000FC01}3568656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1346-614B-9C02-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1346-614B-9C02-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.264{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1346-614B-9C02-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:06.265{D0132419-1346-614B-9C02-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096189Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.940{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D52FBCB3FE0B20DDA62793F62A8E307,SHA256=30D4EA7272A0F0D5EC288F25A0058A1BA7A3052D6B40B501A26C1B1D0E815346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.827{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1284F76193635657909390251F391DAA,SHA256=40882E1A746C50E020168CD56C6AE6B3420DF90BEA5D9943FD9BA9B39CB3645A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096188Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1347-614B-4402-00000000FD01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096187Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096186Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096185Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096184Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096183Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096182Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096181Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096180Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096179Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096178Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1347-614B-4402-00000000FD01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096177Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.705{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1347-614B-4402-00000000FD01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096176Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.706{601D2BAB-1347-614B-4402-00000000FD01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000096175Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:05.198{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000096174Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.159{601D2BAB-1347-614B-4302-00000000FD01}31243128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096173Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1347-614B-4302-00000000FD01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096172Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096171Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096170Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096169Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096168Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096167Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096166Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096165Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096164Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096163Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1347-614B-4302-00000000FD01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096162Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1347-614B-4302-00000000FD01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096161Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:07.034{601D2BAB-1347-614B-4302-00000000FD01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000114224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924300C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.529{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.311{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC74669C2D5000A9B3DCAD9ADA2EA303,SHA256=29267A316D8C24A2292BC47F2CD1D7EBA5BDF0AE804177BC30F48E7A05856D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.296{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918412F0337302EB1AD46286D7CB504D,SHA256=7FCAF32BF37EEC91535BE987219E6A69ACE01CF18F4170E9B2DF82CD6AAC5167,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1347-614B-9E02-00000000FC01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1347-614B-9E02-00000000FC01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.264{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1347-614B-9E02-00000000FC01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.265{D0132419-1347-614B-9E02-00000000FC01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000114207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:07.076{D0132419-1346-614B-9D02-00000000FC01}47044564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096191Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:08.940{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD43E4767DACC85B9622D41D9BF2FDFD,SHA256=392CDA6A24AA231C15C32D10DC4A4E0FCB5BFEED0B96D011718C3125C1986022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:08.858{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E179A429BAB31645CEB4BBBE573842,SHA256=FE97F65CF4F31508CCED5ED13F99A90113C37250CC397F72F0F3DE57B9ABD817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096190Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:08.049{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A8CA78F292E737A4C84BC1BE358002E,SHA256=52CE346970D4FC74054794D1FE278FE5BB631BB3E1D80741A1CC56D44E0BFAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:09.859{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F15493E8E48944D7A1F8C09FEC43B5,SHA256=03B0571CB56941E26A6D27E8D78E7B3158934892395A3E8E639A337F2DEB0091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096206Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.955{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E40FB9418846B30A0526E141E30A783,SHA256=DF92A2192D1091017379FA964FAFBD22C2C16435C2D962F6AA316F2F1DC60856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096205Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.737{601D2BAB-1349-614B-4502-00000000FD01}1900928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096204Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1349-614B-4502-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096203Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096202Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096201Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096200Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096199Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096198Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096197Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096196Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096195Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096194Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1349-614B-4502-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096193Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.596{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1349-614B-4502-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096192Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:09.597{601D2BAB-1349-614B-4502-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:10.873{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F6E03B85963A816A370199B9266B8,SHA256=7FD49F38C90D48E137C43C5CB82139956BCEF5CE15075DB2286BB0C7926AF84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:10.221{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-059MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096234Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-134A-614B-4702-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096233Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096232Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096231Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096230Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096229Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096228Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096227Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096226Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096225Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096224Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-134A-614B-4702-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096223Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-134A-614B-4702-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096222Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.940{601D2BAB-134A-614B-4702-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096221Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.612{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2C512C65FC6681950392BBC66902D8B,SHA256=8EE3A97AC263F27A3EEE5B1EF23357EA736FC79C1F5D97A1FAADCF0B3DA188EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096220Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.393{601D2BAB-134A-614B-4602-00000000FD01}1868872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096219Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-134A-614B-4602-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096218Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096217Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096216Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096215Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096214Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096213Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096212Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096211Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096210Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096209Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-134A-614B-4602-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096208Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.268{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-134A-614B-4602-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096207Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:10.269{601D2BAB-134A-614B-4602-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:11.875{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965F96D386363AD6C15D949FC49774B5,SHA256=0B215150CAD4DE05A88DEC9DBB7ADF96C94D3735791FD9C711A0DCFBD4F8C6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:11.234{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096237Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:11.955{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F406DFA67BF5D4FBF944DBFABD515430,SHA256=1A07A898D6A53EB8F649870B59850A014F1007FF8B8F35F1DBE82E7DE364E540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096236Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:11.080{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A4ECB35D5B1439CD27788EAC2B079B,SHA256=59C0148E1D74EB276A99055F0863A7AEF15E0D695F68F02976957505212BB7AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096235Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:11.049{601D2BAB-134A-614B-4702-00000000FD01}15001148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:12.890{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E96F3E59B5EB8E3EC1A573591388AB,SHA256=420640C93D2E4A3CAEA4A89BA0B458B91CC951832B8236918CCB1F955DA02D2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096251Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-134C-614B-4802-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096250Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096249Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096248Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096247Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096246Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096245Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096244Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096243Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096242Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096241Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-134C-614B-4802-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096240Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.971{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-134C-614B-4802-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096239Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.972{601D2BAB-134C-614B-4802-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096238Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:12.049{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD464C011CCF57EA10FBFB86EAC9DA03,SHA256=9B901705344C8CE28086815C30BCA31CCC495CF31CEA780B0591BD9844F8D983,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:10.623{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:13.906{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271F3AADA3B457FE5A2A4F32B88DC74B,SHA256=B7AC9D45AD3463A4CD84CC52AFDC78168B62B10C189B1FF34EA31B71EC08DEBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096253Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:11.167{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096252Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:13.065{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2FC15FACBB94471B193BF6CA9AAA1A,SHA256=772BEB38C26E485740D0931A7DE133F83C3B40E315360AAC0E6D7D76C890FB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:14.921{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88644C9207A16D6C12835BA87EE2EB53,SHA256=BBED24DD84DCC4CD1E9E0E1857AE62F59AAEB26E29CD0E422708A206665D16B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096255Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:14.111{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6F2A0D8ED9BE53E2FCF9BAF583FEED,SHA256=13A1A5A7843BA09CDE861DC7205B1BB2299FC93C86FFEC53509D551E16300BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096254Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:14.096{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=996BBF68E9D6914D45395F308F93A597,SHA256=A3E2D34947B0C1E2612357CC0C1F5EC4A02FF59B3B02868660C9A7603474E43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:15.953{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBF1658020C13F2CDF051035C8B7173,SHA256=8E31A13B663DA1ACCB8C95EBBE62B8C071F0D673B2A4C0CB801E5BA4C91B5C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096256Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:15.174{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC5ED902364FD20DC16D6C659DEACD6,SHA256=8BF4AF3EAE3FC65D98DFA6F2D4F5B6C3F14223AB3440FCA8B9E5099E2A093C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:16.968{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4F59888A93557B74B17DD716AB5CA8,SHA256=BC26C74AC52A67055F5F53E7C3C6054801F22C7EC5B69E3E0A915FBD7BE4D1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096257Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:16.174{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8F1EC9FD197AED743E47284ED10977,SHA256=50F22D54C4B64D9D50A468D2776F3C820D92861F11AB3C1D22C5DC06E65A2CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096258Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:17.189{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E06B90616ACC9C6705819E90EF30EFA,SHA256=2F46D3E7C997A38B700CDC513584D2B11ADCA405A0D4A8D13B184575E2BF383C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096260Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:17.183{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096259Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:18.205{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315F772B27D721451867CDD83547034,SHA256=0DBF4D17A3137F27E8ABA83CAB48C5EC901ED9E0208EDD394000BE3A5506A4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:18.093{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BB0E8452B186E9C23A0F917DDA47B5,SHA256=71C931E152FDEF61E65E46BD81833FA327F67D88418B38CBCCA50C1B98044213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:15.640{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:19.125{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F239BC67B770BBBDCDC5B3D83612EEF9,SHA256=D295A47FF5C9BD1B61E419FA6D35895987CC0B918206321AD54FDE25F1CEB2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096261Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:19.267{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1193159C536C003A7F16C0199DB47C63,SHA256=2A77365BE5BFBB8EFCEBFA970C6F23A9AE66B4DD34D4C97DD510D62C960E515B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:20.140{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006D7B0EC4A1248F9C271097D169B310,SHA256=7C989DD79D395A016E3FE4D6BF994DC9DF91E6A27108330DD512E44C4A2CFBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096262Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:20.287{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA829C5598F3928C5684833AF252290F,SHA256=DDF754B3749644E1F0FBB7BAC07F82E1772BD4DBFC2F3350A3C2E4C60D459868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:21.187{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C452DF5258ED2BD4714975ABB3B47EB,SHA256=33273174BA7B4F077FFB8366D8E596F081D7CC58B5F29C5016298C5B065B9FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096263Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:21.287{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E080B697A5CEF63E939C35134C5D45,SHA256=FB3D9031852319F63E7C37C7248675AD4796683CA3484352405554F8F1F0BDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096264Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:22.302{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46FCC73242E8F61D6C23D48E637D4D0,SHA256=B066766723318C1CD669A85E1AB5C12665BFDBD4D23E8CEB04FE870D2AA7F0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:22.203{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD6D5A433027B9055999B35F783FB56,SHA256=6BB9E0AF646EBC48F67863CFC4017022CAD8DB3A00D42E8ADB3DBD7D83665D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096265Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:23.412{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92099459EE8687E0AA7E8ACB4366D41,SHA256=185A7C1690BAE746920B09FF60C6D83A233362BED58376FFBE7D8A44FDBB3BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:23.218{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF99D3ED5A3E441607EE10C50E2F6D6,SHA256=3C795529A30A95680BD0D64C329461F65792841FB9011E6C3E825F8A5FC0A742,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:21.656{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:24.281{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547E24A22858C9F8FD1EADDA15B87AAF,SHA256=07A534AAD896661A7DF2FE39DC75EFCA308436C32BAB9F1ED9A1C30B36768AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096266Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:24.412{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58DAE779829B0C71D940BFAA94901BA,SHA256=E6B14286CF06326AC77DA0DA83E8FB3C03BBF77DCA9306486C8E72671707CF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:25.312{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810989AB0695291454C34BE332E48D08,SHA256=E34C5B01BA708586732C26DA34A9FA8AE833451BD411B4B9898AB606DEBBA620,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096268Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:23.062{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096267Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:25.412{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF86A78F54BED38EF6F80BE0BC843F3,SHA256=6DD56AEF24AABBD9337E1D183FEBC79B1C1B96A4E50CA3378E2109D19CF1F6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:25.109{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=66168C22B7318B4F49B894E3F05DAA1C,SHA256=646CC66CA62377767B5C6870CA07CDE8B5579530A1BC22A89DB05D130275EC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:26.391{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0683902F79CE9A0AC604F03B03426A,SHA256=B3F7AEE9F89515596E6F0CA333E9D2107FEA5BDCB106C64EFBF622F290148F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096269Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:26.411{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A450F1094612308FBDED5B439F019A,SHA256=2FDD79F3B278A6BD1C121BADFE3B1798676E55DF580A4DD083EDDF4EBB1725E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:27.421{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542AC3B946BD0DC657D9AE8944E1420D,SHA256=571785F0D578E995AF97EE315290BFDB138F06F16B43579B3656DD7A228DC0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096271Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:27.744{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-059MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096270Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:27.414{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF23ED6E04CBB6360743614B098D339F,SHA256=3A04C9A471647F19B214AB8D3C1CF884640D50A02A6FB703CBF5202C43643FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:28.453{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D29A2CCF9EA730D1295333206B8112E,SHA256=0667844F0C9F592DB79A4C5EB5510AC317D3F93AE261110575E85265A837774C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096273Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:28.756{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096272Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:28.427{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7588D45EA64C92347FDFBBE11846B491,SHA256=FD91A084B7B6B059471C189FED3C2398E220A020FCC7FEE2380C796F23C218C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:29.469{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14FC60FEFFBEF3CC5117A84002E7893,SHA256=9C38F4C8DF18F3485BF1720953076FF79D3786B78DDDDFC82746A75324CFE4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096274Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:29.428{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8F366D452419068456D3BA6E90CF7E,SHA256=3C06A8DE204AC6FAB86F21EF53AE5AB176891E070130BB91A9A734B35EC12855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:27.687{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:30.484{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB66BDC4201E0A888A848E5FFED29D0C,SHA256=720577B718C972A8EFFCBAF9AD6656CBE0C78803B10F543AC6BAC505A351C746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096275Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:30.475{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525D357BAD7F72548DF1A9FE0B4DF2B2,SHA256=5093970EB91A7ADFFFCFA489E2B6FBD60C15857AA75746A615B64E10A0CE4F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096277Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:31.537{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0769C31F016D745EBB3C2ADF56FBFA8,SHA256=29FD8CDAFE04EA277F709904A2683F21EBDB465DBC5C9CD5C3A83A54D2830D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:31.500{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578827B91C07E48FB358F12ADD6566DF,SHA256=66DB7A5772ECD710F297DBFB1470C6227C76029009641B1D79AAECB5ADE0393A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096276Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:29.092{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:32.515{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FE7998653817483687A038257361AC,SHA256=021412CBA092FD48140DA4ABDAEB07DECA2B7776B46962A1EBE87F7B7787ACD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096278Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:32.553{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF3E7E96E9CF04C78F7ED1E3CFFBFD,SHA256=748E60A0944F1DF1BA5CACF86CDE39183F93D327D75C882254E4F861D4188E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:33.531{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016D824712ABF8FEC9F13BEB6843F4A9,SHA256=6083AC2A550A27B07DB98956BA235DAC685D7E6E36FA8281E28F7B8FE0761008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096279Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:33.553{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E18EB8F2026CA8E8B8DE4FD952B633,SHA256=7C210DB3C4B996016E51447951E353D71643C86502056D12A6ACBB54D9AE2071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:34.546{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4B459D45E373283917796805F9A8F2,SHA256=9DF8B671F2CC2DE0E97488CE74A94A241D78BB58237F70140BD62AA968BCF74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096280Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:34.552{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ACAD7D103FC58C370CCA3C918849A7,SHA256=3B3BBC11E7D23E8E0777BD95C0A1078FD07C08D8C995495789058AF55F4248A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096281Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:35.552{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6B230E0C45A563554658C099920FDB,SHA256=AF35AAB479EF64890E2FDDF1B05D9E6FA761C144E3E93E360386A407970C6EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:35.578{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6ACBDC403538B94BA9C4C9CB9FF94BE,SHA256=44399B02A08E5B369E7EBB8F04C59B7BA67C146960DE194AE61610074C3C3C01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:33.687{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:36.578{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D49309E104710A0FDC7FF0937463571,SHA256=E1375CA21E04CB3D4D677EC10ACB271E4ACB0054A07E9869420A1075576D7F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096283Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:36.584{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5918AC4E3133AD05269C0BC2B30C398F,SHA256=2CAB07FA8E9332BC2959CE9A8866E94A868990CE1364E09A498907E9A9BEA208,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096282Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:34.157{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.890{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DF8CBE19DFCA285A0610DB8B34151E,SHA256=1DF324A097CE14986CDC77EE609FDC903AE76F06E38D33AEB84AB97EA27483FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.828{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000096284Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:37.646{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4917A9CED88649991D70F721443E9D96,SHA256=D05D2FE00835CEAE7F29FC609375A2C695B18013832D22A4E49C9237A98ED08A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.828{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.828{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.828{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124184C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124844C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124516C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7126020C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124844C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124184C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7124516C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7126020C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7125780C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.812{D0132419-0A65-614B-4601-00000000FC01}7125780C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7124112C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7121188C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7125148C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7125788C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7124156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7122296C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7124200C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000114288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.796{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000114287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.640{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06F8ECB76951393163129CF4FE466D4,SHA256=0FE021EE661EBABDA596DE1B6B1F5F8DDD17A344912958BF968009E1D10F6094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.609{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000114285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.609{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000114284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.609{D0132419-0A66-614B-5001-00000000FC01}41924236C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.609{D0132419-0A66-614B-5001-00000000FC01}41924236C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.578{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000114281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.578{D0132419-0A65-614B-4601-00000000FC01}7125160C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000114280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.562{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000114279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.562{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000114278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.562{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.562{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.562{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-0A66-614B-5001-00000000FC01}41925364C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.546{D0132419-0A66-614B-5001-00000000FC01}41925364C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.531{D0132419-04CF-614B-0C00-00000000FC01}8484484C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.531{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.531{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:37.125{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096285Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:38.677{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C84173234A1B533CD85720E123602F5,SHA256=1BD171C7B9D8C732D320937DE65D5738C467B5419F1121E2179EE3E2ACBEC959,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.765{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.765{D0132419-0A65-614B-4601-00000000FC01}7122232C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000114328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.765{D0132419-0A65-614B-4601-00000000FC01}7126060C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 354300x8000000000000000114327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:36.593{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000114326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.625{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73761C072834420D6DC9D9A2697FD201,SHA256=69E341532F0F4F9F6F02FF23ED041DAD29E8E1803C0A2D501347B123E278B056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.625{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000114324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.625{D0132419-0A66-614B-5001-00000000FC01}41924308C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000114323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41925344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41921476C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-0A66-614B-5001-00000000FC01}41921476C:\Windows\Explorer.EXE{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:38.609{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096286Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:39.677{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF710E4247FF853F781B713F911F257,SHA256=586C6A31ACE74EDFEE7B38172EAE639A4B345BDBA8F3CCEFF3063AD643882A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.625{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5A3D348CB774815DDE3A64DB0A955E,SHA256=312D0D0EE2E9B76DA031337BBE70FE340D8F0B6941D60429D444005F30EECC56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.078{D0132419-0A65-614B-4601-00000000FC01}7126060C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000114341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.078{D0132419-0A65-614B-4601-00000000FC01}7126060C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000114340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.078{D0132419-0A65-614B-4601-00000000FC01}7125884C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000114339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.078{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a329d|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000114338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.078{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca282|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a31ff|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000114337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000114336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000114335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000114334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-0A65-614B-4601-00000000FC01}7121156C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x8000000000000000114333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-0A65-614B-4601-00000000FC01}7126060C:\Windows\System32\RuntimeBroker.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+b7f48|C:\Windows\System32\windows.storage.dll+1a2cf9|C:\Windows\System32\windows.storage.dll+1a2b55|C:\Windows\System32\windows.storage.dll+b8ca6|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000114332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-04CD-614B-0B00-00000000FC01}640768C:\Windows\system32\lsass.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.062{D0132419-04CD-614B-0B00-00000000FC01}640768C:\Windows\system32\lsass.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.859{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963AB3F0A08113AE94C72EAA70291409,SHA256=18530EB2F4184ACA84B2509A1628E08DDA3BEFD54510AC12D30E52C50C8D8F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.859{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC74669C2D5000A9B3DCAD9ADA2EA303,SHA256=29267A316D8C24A2292BC47F2CD1D7EBA5BDF0AE804177BC30F48E7A05856D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.640{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D69A27DCF86204A379E5821F5FC304E,SHA256=4605FA5F8086B9328396D46D4E568C92C2930C4D747BE4BC8F81BE43963E3C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096287Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:40.698{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E54C9AD011C01F2A8A3AF3A331E086,SHA256=5DB368ADEDF2F58D70BD873317D23EFA25768BDC9E732FFDB1442C46D1752C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.078{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.078{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:40.078{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-04D0-614B-1600-00000000FC01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:41.656{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF285C3AE028E691154AD502019034D0,SHA256=F09609936949732740DC7D2F569A11E4B7DD210EC2BB2921279090900AE0F8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096289Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:41.698{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA7B08E91132AD1341370515080A487,SHA256=E1A01F176866E37C8954EBDF1BA7390CEE52023744554EBB0ADDBDEF48F5B422,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096288Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:39.188{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096291Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:42.698{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B2CA97A6FA383E0AE41FC81A9F181,SHA256=A9C174B372C75637875A4A79B219FF211BBDB75C661FA600B9909638E4836B22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:39.702{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:42.687{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF3EFAFEAC8BF0D3B3FB3CC9E8EE2AF,SHA256=3058C11845768CF454325A02CA8378F7BB73AC0DF436CC9C0478514A62A1C09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096290Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:42.135{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096292Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:43.745{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1D0FC54971D385771FAE95B3899AAC,SHA256=6C3EED68ECE6F79A221ECEBFFA1BED6C5672CCAFBD4F1C1B55F6B8AAF1242979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.953{D0132419-0A65-614B-4701-00000000FC01}9763472C:\Windows\system32\sihost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.906{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.906{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5201-00000000FC01}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000114354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.906{D0132419-04CF-614B-0C00-00000000FC01}8481412C:\Windows\system32\svchost.exe{D0132419-0A67-614B-5101-00000000FC01}4416C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000114353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:43.703{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8C4E31F5D61D3602B9F5DE16C42CDD,SHA256=F0BFDB499B44E8D14E19D51A68F6222491667067645900AFD35780E4C13B8984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:44.718{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56E074FEFD4691B1C86F2C766C300F,SHA256=5C39509A2BC485556E82E6934EFEDF3523F9036BA33614DF05BF93F657514978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096294Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:44.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7B7202DA5F62214DFF4AA3858653EE,SHA256=14E3F6379331F11C09012BA3EBE8C55C71337439F885BAB68FD58555831A2C6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096293Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:42.084{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000114364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:45.750{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985554B27C333408F043A14512BF0D9E,SHA256=CBD51B8EB52287D6E8F5ADADCB2E6DEE7C6B2B107B5F2B6ADFA1528C818AE603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096295Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:45.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F822EDCC083B7F9CD101F6412EA799D,SHA256=EA0D72E48BB89855D4423F40A88943CDAF8049433E07B587508C837F2D01F230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096297Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:46.760{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16A5D5756CB10E050B034BF21E23893,SHA256=0AEFE160EE4FF6CFAEAA19AFB7DF5986B1C54824789ABF97832A8FC2E2ED3CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:46.796{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A24CADDB92F2160EC840948DF5A609,SHA256=CB55E7F6B113F8DF220980DA227E3751BD4F5632F12F3BEE2369B473B11B1814,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096296Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:45.115{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096298Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:47.791{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECCC74E84EF69C3BA5376BEFE8D33B6,SHA256=62274A4AD57E1CC30A8A015B64D1896C3EFF8C5545A36D7E70EDB084C7E30903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:47.828{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C71B69F572E0D992C228FB2F4BCB5F6,SHA256=72AEC7AC07F9F66E2BEC595B8ABC183F59057586A41FE1C5E8D0B881A3C71E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:45.655{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:48.859{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8341F2F8B4863D5888E13714873C27C,SHA256=15556D6775D072E90CF057CA6C20C0C25C114953F72573C8A8D86766447C1E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096299Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:48.791{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BED1B2672C7C4D2052F62C445A38B0D,SHA256=7E2CC79DCD0D3DEAEA2EE5F5734E7813AF948283C0ACC97269B5BA369089AEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.875{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD4840437432EF20FB837FBB303B13B,SHA256=C3D71061C5AC7B17CA2AD8F4EF03B2910733FF219985DFE59FC35D18CA9BDEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096300Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:49.807{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09159781EBC91487B5706CF091A842A4,SHA256=C20B1499682F782DC709CDB163B5FFD2A7A5562EB3B1FC3CB09208FD0B175CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1371-614B-9F02-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1371-614B-9F02-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1371-614B-9F02-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:49.453{D0132419-1371-614B-9F02-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.906{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBFC73048ED3AE00A61D470F8029CBC,SHA256=7DF650E8BEEACA52DCE2B156BF27B075238E51BBBD23275F74A1517463701575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096301Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:50.854{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2089DDDFDC681268C7E9E68E75C3C79A,SHA256=B02E4835360FBDA79527C0F6A1D97EB43DA930A952F90CD485260C1F2680376A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.671{D0132419-1372-614B-A002-00000000FC01}47204988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.546{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBA56F0408DDC25D15631F2486D7931,SHA256=14EF8D79E12CAEF032022D596D66A7086BDB90D0821CBC6FD7A1D922A743E3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.546{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963AB3F0A08113AE94C72EAA70291409,SHA256=18530EB2F4184ACA84B2509A1628E08DDA3BEFD54510AC12D30E52C50C8D8F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1372-614B-A002-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-1372-614B-A002-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.484{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1372-614B-A002-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.485{D0132419-1372-614B-A002-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.937{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBACA815AD30DB547AD4332E050B12C,SHA256=C973B84FDB9FAB018712A166C1C3069202A4B60BD91677C7BA1188349878D905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096302Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:51.900{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB79A03D786DA4E175C21B9A4ACCFCF,SHA256=FDFE0257F1E778A5A241B78CC96E19501049613C5046348E233127979D9D6BB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1373-614B-A102-00000000FC01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1373-614B-A102-00000000FC01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1373-614B-A102-00000000FC01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.156{D0132419-1373-614B-A102-00000000FC01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:52.984{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F91373D8C9A9C625FBC42269EDBCA6,SHA256=2E17F0ADE9B929DE90B9812BAAEDAF8F9493107CECE90B5EA6EB594C8F80CB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096304Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:52.900{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6C3F41BA2ACCD57319B40825DF91BA,SHA256=FD39DDDAAC384793E7B1EE7563D13086136BAC0F104EE4410C316CC450F3B4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:52.062{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBA56F0408DDC25D15631F2486D7931,SHA256=14EF8D79E12CAEF032022D596D66A7086BDB90D0821CBC6FD7A1D922A743E3F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096303Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:51.037{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096305Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:53.916{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929D684197C42E5343E01389FFFEB72A,SHA256=698497DC6E1D2229CB8B4FBC316A4D75F56CD38915EE5D4F89E88A227E4B84A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.828{D0132419-1375-614B-A202-00000000FC01}38405508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1375-614B-A202-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1375-614B-A202-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1375-614B-A202-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:53.578{D0132419-1375-614B-A202-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000114402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.531{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000114401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:50.530{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000096306Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:54.947{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891116245642B6CA25CF3D254C7F3EC5,SHA256=0F7B2B192548AFDF43B0823B6B77810CF584961C3969596DE6AB792FF8A67477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:54.656{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=415BF9206CB00769BB774CB50588020B,SHA256=A7D0F27D077802D92FD3A0BBB326BE03B5AFADED82CDF26CE4444075B1DC9892,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:51.686{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:54.000{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC53ABFE1A61BA9F5FCECB3E0E92D4F,SHA256=A29601FDAE81CEF2C0ED0DC16315427CCB7A8FE565E2062F9476AC67B14F6320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096308Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:55.947{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96355ADDE5B31B4F95835C42BBA50F06,SHA256=96EF8FD4C960A2F0B90B826C9B6F2D680A5A47158B18FD7FD2706BA1350C92E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:55.015{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FEBE40CF52A9D1A4DA2137704D259A,SHA256=8A937141C11EC7121D55AD07E533EDF8E4FB76B5BE26BE8534D115E2F6911C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096307Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:55.354{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2D5F786C9725FF39CB34DD33B6271C14,SHA256=E09A868ED9015837C495BF1035DDE5626C4D349BEFA553367CD54CEF4BA0843D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096309Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:56.994{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748B338476421220D9D9B1E92E1A8443,SHA256=79FC1DB13A2ED77CAECD111AA74FB9D957AD5FC45A62CA8E68D551266F818E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:56.015{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B478479560BE43B38E370982C23A6BB3,SHA256=014F45AE257BC444021A9226188C3D33F8F6C0CE4EC280218C5C4B134B92D539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096314Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:57.994{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433BDA924C0A14F7424EEE2436CCC0E6,SHA256=69FB7440397CDA05EC02929DD7763FEF6DE41E49E15D39A981688FADD64CF71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:57.031{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814594D2D2C98211E21C9C37710A7D37,SHA256=D99658744B18871721B6E1542F2858745678D1CD4A8480D2584B80A1604F0E8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096313Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:56.226{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000096312Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:57.478{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096311Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:57.478{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096310Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:57.478{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EE-614B-1300-00000000FD01}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096315Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:28:58.994{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F584474D452D3B40C6D64F8B777C579,SHA256=0B7B093F6366350C61425499ABE7D67969607C9FD3217532361643B7ED83A29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:58.046{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378753D0B9D533C38A539E9B2FF9AAA5,SHA256=CA8E5B30593C4752B8D7E17856D9A0E647C6E8C23818DBE85631C149B35F2917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:57.546{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:28:59.062{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA118CB5DAB1149D8186CBE3C468FC85,SHA256=3A8E7210413A62AAEDDA583EEFF9D424868CA91A72E1603C82012E8B59C62C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:00.078{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A43A436B5DD8019B1A4D1CEFDB59AFF,SHA256=33BA2F75E05EA97FB02DE3C790DA778DCB7CE676D9C33D4E79D8F3F39B583D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096316Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:00.025{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4341C4E84A2ECD1C41E366C6BA95BBE,SHA256=FA8C86A2E9641B49AEDEC1CFB97846653F422356042491B47F629A9BD42349C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:01.109{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E802A4E11F5986B4079FEF9B91857C2,SHA256=BA603C9C3B67A2D8E1A2AD09C6C20A7CC950BF2D2BCB90A762F57241044023EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096317Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:01.038{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48864C944C3F57F67F5A1AB99929FC5B,SHA256=C9D5C4A66D9E086BED05A7CB3FB92677B45308E98605BF5D252A60CCAC6FD917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:02.140{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F44F26F0F5850DEB15727368675DC6,SHA256=F3ABD9D6D57473761012075C03E7D2A2B9DB87DE4EE5BE2036CF6BA30B3C6E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096318Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:02.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FBC49ECED46EC4E636A8DEE3ECF66D,SHA256=56C9869639F3E47146B330E3004AD781A7CC88403E507189CF923A2130E05A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:03.156{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F4EAF9F888CEE18929C4AD0F381975,SHA256=C98E24F2439E6CAD94E4962FB8924CB25D1B2876D81C426EA0022221EB11F487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096320Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:02.206{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096319Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:03.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0B3CF884831D142BC8535A6E915546,SHA256=3F48D773B087A774467FE25E2DCA2E390271D5A1AA62536F282B2DBE87CD966B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:02.639{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:04.156{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BF03FB24B625499995A7133EDDF985,SHA256=2B7C053C626AFF0C7DCC9EA24C2E6F373CEF6E5FBFF04C6F94FCF4F96FFE151B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096321Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:04.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411D6C4241305FEBB3A8379F545AB657,SHA256=6DE978980A3C97C873A8233592062D79D5D6FB65B73A8ED26E7F6EFD4E1BB252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:05.187{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8564A3F353E0EC156BF740B87C8C11CE,SHA256=463031BB89467B1655924B4D6E7851111FC81A4F0C8D2A0A379C0DA0229E44C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096335Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1381-614B-4902-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096334Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096333Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096332Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096331Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096330Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096329Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096328Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096327Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096326Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096325Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-1381-614B-4902-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096324Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.865{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1381-614B-4902-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096323Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.866{601D2BAB-1381-614B-4902-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096322Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:05.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F1CBD3B6D30D7F64E6B574683BB177,SHA256=01309EA1669D2BC34050BCB1F54467AFF0C1C20298678932DE5E54A035122EB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.968{D0132419-1382-614B-A402-00000000FC01}25962276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1382-614B-A402-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1382-614B-A402-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.781{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1382-614B-A402-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.782{D0132419-1382-614B-A402-00000000FC01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000114437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.546{D0132419-1382-614B-A302-00000000FC01}59484008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1382-614B-A302-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-1382-614B-A302-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.281{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1382-614B-A302-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.282{D0132419-1382-614B-A302-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:06.203{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DA6138826B3989BC90644CF451A917,SHA256=F167395778D485C6EC44CBE393D72F782A076ECEFD4CBAFA8F38C310CB93729B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096336Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:06.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7099675014BEF5DBA963EA82D622E222,SHA256=5308BA2D671363E2094B60FFF4462573649A7D3DA685DE9B7ADC75EE8E7D1D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-1383-614B-A502-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-1383-614B-A502-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.359{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-1383-614B-A502-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.360{D0132419-1383-614B-A502-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.328{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E098B332F2182C9FC994695FE4A5725F,SHA256=E9A979AEECAEE788AFF28E8161B25EACC509520A9FB03346EF61FB1DC080ACA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.328{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61AAE3A03FD3674A95829255DE75DB54,SHA256=FC5014AE713BBBDBC71494E3BF140E15A698EBC25FB70B1191DA34A661C79D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.250{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9B45020F4F979A2365C6FE166A050A,SHA256=EE9D9E05315A04B674BA5173111DF2B67D8F3A8E4B330C1B01A32C369FB39219,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096366Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1383-614B-4B02-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096365Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096364Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096363Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096362Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096361Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096360Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096359Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096358Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096357Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096356Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1383-614B-4B02-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096355Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.709{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1383-614B-4B02-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096354Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.710{601D2BAB-1383-614B-4B02-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000096353Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.162{601D2BAB-1383-614B-4A02-00000000FD01}29003276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096352Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A769D19C241724A2E697860A948C1F0F,SHA256=E89E4E83D3CD79ADC524FA3D8A188D91D9CE58CB26321E65AAC4AFE14C649F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096351Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF04E34958A18AA2A123754C1A51872C,SHA256=7DB1F2CF2626A740634B869FBFB444A0F6154E4F6A1A720875AE7D3C86D44486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096350Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A88A75B7F4E3D055F30982BFE5FCFE,SHA256=1D802D84067EC93F01D06A1FDDFF797DFC9CE9FF81C0C918681A3882EC734198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096349Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1383-614B-4A02-00000000FD01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096348Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096347Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096346Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096345Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096344Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096343Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096342Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096341Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096340Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096339Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1383-614B-4A02-00000000FD01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096338Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.037{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1383-614B-4A02-00000000FD01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096337Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.038{601D2BAB-1383-614B-4A02-00000000FD01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:08.375{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E098B332F2182C9FC994695FE4A5725F,SHA256=E9A979AEECAEE788AFF28E8161B25EACC509520A9FB03346EF61FB1DC080ACA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:08.265{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1075419504F30948959C6443C87F1F90,SHA256=4D839958F5EC834C53934260A3E78579E329C2ABE20E582862E18AE1955535E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096368Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:08.834{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF04E34958A18AA2A123754C1A51872C,SHA256=7DB1F2CF2626A740634B869FBFB444A0F6154E4F6A1A720875AE7D3C86D44486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096367Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:08.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DFEB35349C9EA8DC24F3B5D2563419,SHA256=C92B034C122779C6AA2D12C0E9D613C5407D193389DA63AD1B116314B0474C4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:07.702{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:09.281{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EA97E79DD712F70F4EC2CAFCBE17CF,SHA256=168F8549E854862629C2EFB574E36191FE0BEE1DC256E0665E06BDA536E808CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096384Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.709{601D2BAB-1385-614B-4C02-00000000FD01}34163404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000096383Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:07.987{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000096382Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1385-614B-4C02-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096381Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096380Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096379Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096378Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096377Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096376Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096375Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096374Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096373Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096372Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1385-614B-4C02-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096371Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.584{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1385-614B-4C02-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096370Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.585{601D2BAB-1385-614B-4C02-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096369Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:09.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6CE147ADD94315051DEDADCF95D91F,SHA256=2C4B7C0A357D546A5BE7597C4EB83C88D86D350BC6731F9441D5E39E9EA5FE82,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000114462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT1158SetValue2021-09-22 11:29:09.218{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEHKU\S-1-5-21-4212517941-3008131832-663396887-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000001) 13241300x8000000000000000114461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT1158SetValue2021-09-22 11:29:09.203{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEHKU\S-1-5-21-4212517941-3008131832-663396887-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x8000000000000000114460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT1158SetValue2021-09-22 11:29:09.203{D0132419-0A66-614B-5001-00000000FC01}4192C:\Windows\Explorer.EXEHKU\S-1-5-21-4212517941-3008131832-663396887-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 23542300x8000000000000000114465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:10.328{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4FC4C4C4C859A4C1F33FB08345AEE1,SHA256=52D99F27DA094C939AC79556ACA23E09AD069E4B1802B59AA98106E90CBE45FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096413Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1386-614B-4E02-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096412Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096411Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096410Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096409Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096408Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096407Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096406Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096405Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096404Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096403Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1386-614B-4E02-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096402Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1386-614B-4E02-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096401Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.928{601D2BAB-1386-614B-4E02-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096400Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.662{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED97CE42D1EC03363EE2810D80B844A2,SHA256=24ED4DAE40FE851C57B4C50C8E8562733E2EA26214CDD8629E24C9D6ACC39DB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096399Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.397{601D2BAB-1386-614B-4D02-00000000FD01}35363172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096398Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1386-614B-4D02-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096397Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096396Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096395Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096394Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096393Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096392Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096391Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096390Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096389Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096388Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-1386-614B-4D02-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096387Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.256{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1386-614B-4D02-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096386Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.257{601D2BAB-1386-614B-4D02-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096385Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:10.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09882DA5AB9D3FE81B8380F49F96EA4,SHA256=6AE3A9B7236158B8FF06BA38E46ED886E55F5BDC963B440096377039A8C70FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:11.753{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-060MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:11.329{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD68B6DBA01FA5DDD06B497DC7B3264,SHA256=9524027CBAF7EF12036F4A71551724A1850095E22DCF14A36821E0CDF4451452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096415Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:11.318{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4B678859B7ACFD7BB9973D0103AF85,SHA256=ED2098D7CF3C6C21E80A354825CCB9CA77C7B701A95E38DD2D52DDD65F7B017D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096414Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:11.068{601D2BAB-1386-614B-4E02-00000000FD01}34203228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924548C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924548C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924548C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.858{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.767{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:12.344{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9041121BD095184139C68BE8D281B7C,SHA256=1A5EC6BC98F538664FC3287B8DF0BEA91823AF96B2AF272BEF21730E2634903B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096430Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-1388-614B-4F02-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096429Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096428Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096427Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096426Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096425Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096424Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096423Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096422Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096421Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096420Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04ED-614B-0500-00000000FD01}4121044C:\Windows\system32\csrss.exe{601D2BAB-1388-614B-4F02-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096419Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.959{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-1388-614B-4F02-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096418Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.960{601D2BAB-1388-614B-4F02-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096417Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3306A860DADB0E9B172C4A1D5F7D2A24,SHA256=8B382802A7B00BC7794177433EAB06146E150DC640B125E223235E90F44AA3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096416Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:12.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51C7574B291E339C5D1BEC4B4D1EAC1E,SHA256=4C40821BF156058C4309A9D160790C33AC7E79D44E195D52E2F7A9E215A9A74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:13.346{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E1C554E83DF9C793556EFEDDF6C31B,SHA256=183F5F72259B0E02DD85B983B15F08DEC11392F55C62BA5EEB7C21B79C3DE32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096432Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:13.990{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517C7022B28D50AD7A11723CAE3D663D,SHA256=7FE0BAA9A67F64BE562CA16DC05134A8B6C1DD2B640A9FE49D06E617287C195E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096431Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:13.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52777C792864C57673DB8EE756F24C7,SHA256=2820A914D2980C64EC6DD5C22DE344FFBB67DAB21B1582A1D19DBEDC3B755535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:14.377{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68762537F07E4BDE1B9161DBDC72B4F,SHA256=F3E6F0CC54786479CFA88CC932FDA4579066DCAA852A29D44BF8691DCAEBC928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096434Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:13.144{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096433Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:14.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AE936C079B240EB60B82911DCCF7CB,SHA256=51185D870A294DFA919CD087A608B578A4CBFB15BA980C1B22FF696D2148D84C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:13.532{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:15.408{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A9BF31094A631591AB7626EAC15B04,SHA256=D0F2811D1E9FF026F505AE59F9E0DF5F9981BA4D2D787FBEE87C8E741F657968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096435Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:15.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696D458D749B62EA33396F3FD1A749C9,SHA256=CE8E372B38FCDB527E5F3259394B504137199E2EDB24760C68C1E4BC78127E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:16.424{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F82FF7B3B64E1476AFDA4F8ECD6A108,SHA256=12881E7103076D7D71902D928EA3F28FD85CC4C5039FD9EB0F542542419AAF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096436Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:16.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6673D35E31697C2FE2F65671497B6517,SHA256=A1EE51D402C3FC2865F5EA4984C02F8C143EF9457183D150FB9299F555CDA432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:17.440{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738312E16A6F5DC894FF27B0F0B740E3,SHA256=187489EF17A7AF71A313FC0133DC7AF6108AE2A648B0619824D1C4E04DBE537F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096437Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:17.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9090A32787F76E667A630448B7BA2C5E,SHA256=0F8A20B4B1ACF731AF3811D62843570C9EAF637BFFDCFCD927F805A72429ABCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:18.471{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8F6F0D362C162DCD816BA6A462D22D,SHA256=4F29D05DB920714EE35E964BE0AE6F56B1B8557EB3B1D8D0340B22AEC8EE1F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096438Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:18.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFBCDB0089765CF99DAB360EB2534EB,SHA256=D85C5E172DD0B204D3105D36E6CF3317649B55B0D9954F58B2799C05F6963A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:19.486{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE89E52FB43227F16C26BA0A2DF0E42E,SHA256=AD173F5E332FFF32A16B48DCD61162FCE25CECF7B4DBA5485E85CBFEEB23BD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096439Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:19.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64B2CA1232C5C0A3A22EE0380F85F63,SHA256=D7B687314C619335E0EFC6C621E24F636E12B6829D209F7ED96402345482F585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:20.533{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6301EAFF4EF084DEF08B2F6F74FE707,SHA256=4B9F3341589F985EA650A571E51C5907A4DED4FE0D106128D299C0706A1B3409,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096441Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:19.034{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096440Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:20.099{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C36E04F83673B4106BDC27CD02CA27,SHA256=99B36FCB64900DADEBA67CC06B0B03F3A56AFF5381F650BB0F346B35DAD4BEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:21.549{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5906B0A718D3FF954D7E9B15C4454D,SHA256=CECA3BC4E11D55C9A2341A4BF8AEBC4E34D3CDAEF1391A51C297ED8AA1AFB337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096442Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:21.108{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF71C8D9F0240EDF45014B229FDD644,SHA256=E4C0FBF22B543F18C89891EC509DFCFB29A27194647ECAA3A79E1B488D4FD095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:22.549{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DE8F540E6B3A4BD5DAE9A2B349080F,SHA256=060961E35B7D0414DDBEF1AC357FE7A0DCE7E12D3C92F049ED7E697FBE07097C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096443Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:22.108{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56769467E0977CEAAC044F9B0672DE5,SHA256=A18F0DB0335936C85F28002740C93A14F2714BF6278F13CD38EB993A1BD61D26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:22.127{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\audio\2021-09-09-17.40.wav2021-09-22 11:29:22.127 354300x8000000000000000114487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:19.563{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:23.565{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FD1FE34DB655B2B8C044582E5FA81B,SHA256=D90F42AF73FAC47F16457271A11F6CF8BB80AFFBAC5AC05DDA9BF9D5A182F0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096444Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:23.108{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FBC348017E5DD0D0E863B9C754DAB3,SHA256=0561ED366F346F3B5DEAA4B2C2AB54A29364836181770B9AA2F1ED7567961CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:24.580{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DA59A875CEFFD6A76571CC9A8F5A41,SHA256=A49A3B18F737782C0E28563E58FFA1AFA0DC0E4FB4B7896E95B541337B53BD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096445Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:24.108{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E1D15715E2A21CE8ED46C9B895FD94,SHA256=CD61C3BC38FACC6EAAF0A1A05163E961F526702E279666C5BE39AAA6B9C8A29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:25.580{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B64410395F582942FE7AB0045D1AA6,SHA256=407A79763B7BBF2CA2EB46B2BB10EEAE91C516C02EA6EB19CDAC9E633A8AA7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096446Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:25.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07968843375836B6CEEF046EBFE02A,SHA256=B2A5FFD5728FE2071867E13E490E8AE7B2DB140304CA51ADFB3BB36AB7036C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:25.111{D0132419-04D0-614B-1300-00000000FC01}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E6E2972DFE6286A8B0D28B9DB90AD6C,SHA256=2A48AA51024398769188BFB36A9DBA76198000B81DEDC2866C082226DBDBEF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:26.627{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4834660D1CAD1B42D6C31BFEBDC9E9,SHA256=187477CF98CC49FCFD822B47BCD98C16F1A15DE302E1B4E918DFCDA331D142B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096448Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:26.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C6A0DBCDEDB6EEF81B25A43DCCBCDD,SHA256=7C24721F6FB6F855E9A3764B72E9D82BE1DFEF9319AE8068BBF34A6D5CE6B323,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096447Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:24.199{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:27.658{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF04929E4E7939AB26BA7F3680777C6,SHA256=95EEC43D8FCA5E840395EEF45B000A65BAB7C545AA4CCBA989ED599B104C50F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096449Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:27.123{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE355447DED711B4412B3FBB20B51AF1,SHA256=C3360F836BB82787BB79CE71E4C7637B04F6ED5AC11C4A939F249D6E31C9B390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:24.673{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:28.815{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F90F1677A23C7588992F03DE39D2F59,SHA256=8555D01E76A4ED59CAD13AFC1CF79BFF08207C9404C894D2FD3625FD47F49251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096450Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:28.139{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3368AFAF28488BD266A16F0393BB0A30,SHA256=EA61E7E60F840166ECF75A90FDDD089A2A66C088B8D73492498CE372ED4BF1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:29.861{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA6738AB7E93A8F9C901DFEE55536AC,SHA256=19808EDD085145BF157566B231F4A1E3FB12C90DFF8E84DF58A18AB0FE32C866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096452Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:29.283{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\respondent-20210922102657-060MD5=22FBA84AE51C77110BB6250FAEBEFB73,SHA256=8C4862C18A6D8E85F040577B2F2863C8212E82437A5FE9547DE6724818512818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096451Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:29.187{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F611C2F3AB9BB0DF292FD56A88A0847,SHA256=AD98EA7D9EFD854DB72FFC5A6DA34E5134A38F483F7424E736224D7C57961F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:30.862{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314CD8AF325BECA238B3F807F440D6D6,SHA256=592090F9A4A632D6534C66341B366788F6155F63C2B618383518F97D83F0951A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096454Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:30.296{601D2BAB-04EF-614B-1D00-00000000FD01}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03510517867203100\channels\health\surveyor-20210922102655-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096453Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:30.202{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD94B511867CEF4394ED0581054647FE,SHA256=CDA827F063EBDF27BE9B86B80C7AEC1B749A9E0D1F88AC6500E6AE67A0C8DA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:31.877{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FFC6A8EFF767B7F4FD136E343EB581,SHA256=BA9FAA7E2C83D7E3E9FC0404CEE699F9BD5F1BF2A7B8F639D4E6CC335EC57F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096456Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:31.218{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C621DD3C9E9E8E32C92263FF1F3F29,SHA256=AA88533B0B3143BB53596FA4B8746EFCFAA11BDAD85AFECC99DA286A34AAE254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096455Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:29.201{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.893{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7019D8C54B7B816F9223604F28FF0208,SHA256=64FE6871810BEE64BC8FCEFEF8E4D3B9538761C00EB9C279822360813E5CBB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096457Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:32.233{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F646941E6D20B77AEBCC1EF044B076E3,SHA256=0A5B3B6D115E9760FEDD942D4C74D669B6181A93CF0C8D131CE050F2C9A5FC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.705{D0132419-0A66-614B-5001-00000000FC01}41925536C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.705{D0132419-0A66-614B-5001-00000000FC01}41925536C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.705{D0132419-0A66-614B-5001-00000000FC01}41925536C:\Windows\Explorer.EXE{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.690{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.690{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.690{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:32.690{D0132419-0A66-614B-5001-00000000FC01}41924344C:\Windows\Explorer.EXE{D0132419-12F4-614B-8A02-00000000FC01}4780C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000114501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:30.610{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:33.893{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F46D277C930971529E972E718BB66B2,SHA256=548E4CCA86171479089EDDBD35F9EEAFCF557C9C6010206AE2AA7669C5A48883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096458Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:33.264{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F2CA1A6DECC1CAA048043DB312956E,SHA256=41731BA3782CED2C4F2457585FA4F6DCF3F3C8531FBCD54749E302DE98FF16CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:34.924{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772D31E9CF50CEC09C9D3E09122B3A19,SHA256=2DA41A39CD7DB4659DE53278B5BBE2BBF42882033F0A99901C12847F9376CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096459Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:34.280{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A46C2A9A147FE794E336DD0440B6908,SHA256=7952EF7B8E5D0747ABE5DB8E00FF2374310DAB3CBC120A0C787DC529C115CCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:35.955{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768C53EA26DFD6D66257C413D06AB5D2,SHA256=0C8226BD3CF0F68A19A88E2D8A578D18F6D73AE3C36246F6776AA684ACEDCE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096460Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:35.280{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AF727BF6F4910B53499B862423134A,SHA256=0134B928E8D36411D2A4CA7BF5D6F1B8082970D94C553358E42FF219F592973D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:36.955{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCF76E2FD0CBD86095AB0BF119C6993,SHA256=EF9F2A869656196F1B82BDDD55AE80A808C9E4AF85FB4A92DEC7BE43150C4930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096461Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:36.295{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9854569C022E523C52A927A8540BCE6E,SHA256=25611EC818BF993E8A2A68CE268C4B6CD7F35EC7E72E82D7DDF51DD8118A33B5,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000114513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:36.502{D0132419-12F4-614B-8902-00000000FC01}2016C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe 23542300x800000000000000096463Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:37.311{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FAB82CB5D74939F4ACCD0A7E1FD3B0,SHA256=1292188662EB926253C370F9A1BEDAEEB6F62EFC547B1BE652BF9113B898AB75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096462Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:35.060{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:37.143{D0132419-04DD-614B-2800-00000000FC01}2832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096464Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:38.561{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E906A9C12EAC4A2BDF6ECCB344AE7B2,SHA256=F2E041EDC5A07A3DE9E5EBF7937D055764342419B0FF85695E8EDAA1F14A1787,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:36.610{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000114517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:36.610{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:38.002{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B538FC51E13A2236AB22921284878E39,SHA256=E431F1CF35D97C05552311776AE26A6A1F455C338BA7310FF15DD3BAECE944C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096465Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:39.592{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E0C3701C3DF2CFB357B581BA4FD6E2,SHA256=63C001534EE681535AEAD03FEC8E05FE266626C1C4707F182E3E25307E4EE8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:39.018{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F76EC62421235CF1A2561D5735BFCC,SHA256=E140F55A32EC2C6BE615A62BBAD17F924BD51292937CEA83F4854BF31E49D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096466Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:40.623{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A809C6D92046EC5F7BF154A5C993F60D,SHA256=C89356BD019A1A50808BBF1CE5D74A61DA009BC0A520718445A09516820A8BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:40.033{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6B97B05AD2C2D434B1D9CEDA39F89F,SHA256=44B25D06BEE41CF8ECD64BB428C40F9DA5431702D70CC7A7F8CA92B55D5EAA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096467Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:41.670{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D55A5D6E93CA07D25FE47C68C66AD72,SHA256=1DBB2E00B721DB5D4B28DB07760CC1512622BD98CECA7458B5FA3DA5065BAE5A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000114526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDB-VerSetValue2021-09-22 11:29:41.533{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exe\REGISTRY\A\{6a38f023-15ae-848a-2f66-d5d334eade3f}\Root\InventoryApplicationFile\win32.exe|3c636680b5a7caf8\BinProductVersion10.0.14393.0 13241300x8000000000000000114525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDB-CompileTimeClaimSetValue2021-09-22 11:29:41.533{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exe\REGISTRY\A\{6a38f023-15ae-848a-2f66-d5d334eade3f}\Root\InventoryApplicationFile\win32.exe|3c636680b5a7caf8\LinkDate07/16/2016 02:23:21 13241300x8000000000000000114524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDB-PubSetValue2021-09-22 11:29:41.533{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exe\REGISTRY\A\{6a38f023-15ae-848a-2f66-d5d334eade3f}\Root\InventoryApplicationFile\win32.exe|3c636680b5a7caf8\Publishermicrosoft corporation 13241300x8000000000000000114523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDB-PathSetValue2021-09-22 11:29:41.533{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exe\REGISTRY\A\{6a38f023-15ae-848a-2f66-d5d334eade3f}\Root\InventoryApplicationFile\win32.exe|3c636680b5a7caf8\LowerCaseLongPathc:\users\administrator\appdata\roaming\win32\win32.exe 13241300x8000000000000000114522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDBSetValue2021-09-22 11:29:41.518{D0132419-04D0-614B-1400-00000000FC01}864C:\Windows\System32\svchost.exeHKU\S-1-5-21-4212517941-3008131832-663396887-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeBinary Data 23542300x8000000000000000114521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:41.065{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C092A486EBC6D1DA554AF1992E55F46,SHA256=9FFA3B0C567F24A7EB783F8B4348E8A247AC9CBC58EA9E169C59825DEAFF223C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096470Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:42.701{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0C9604DECDE529449600F93E28D0A5,SHA256=8FB4AB099E78C4DB3D968205B2BE6A7C009ED7C5412A5501CC1F9490190FBD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:42.065{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8134FFD56922930EAFAC1EE6DF50EE2A,SHA256=2C6A446028523C664D00549F2CE1D0602FA186D4CE0D028FCE6DBDC89B0EEF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096469Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:40.215{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096468Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:42.154{601D2BAB-04EF-614B-2300-00000000FD01}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2990B16A694DD695D7F6C8AE7AEE48F0,SHA256=B465CF03FBDF89CAB3FC04972E2D540944CDC3DF8EB3010FFE979D2D499C10D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096472Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:43.701{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916CE9340734D58881492337DA917A3E,SHA256=D05494388E4D02AAE0BFF49837021382006CB7E3FAD3AED6F55EBE8823CD888D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:41.719{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:43.080{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E599A63FF9F6194041312A4B15AF6224,SHA256=CBE86767903FD61FCEC9AE664D247C0AF8B6F7031D48C7DAEABB85290F654385,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096471Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:42.106{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000096473Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:44.701{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E31B355962B06B554E5B669FB844951,SHA256=7901E8DC88FC798F3698000EDE8635408BA588BA3D5D4CE148526E2E737D5EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:44.096{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BAB54A7D1C4E5A3338D562E54840C3,SHA256=897E8F65C6A5E287E07ED8E45F174818B7034DCD337C66987C4B4BA1CFCB34D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096474Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:45.732{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0471EC0E34AA74F1274DA69B701C62,SHA256=00B7030EF64C247C4993499F9B37DBB1240563D66E84CA6F90908CC7ECD75DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:45.111{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78A483153D5290D0E3710803E04C383,SHA256=77F9D4BB88130D2300BA9159FE40CD88D69D9356A93F824B56F4357ABE10C63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096475Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:46.732{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CFE005700CC2264FC6D9B1776A5432,SHA256=1AFA4B3C13EC648497416ADFC2D2F8FD14324D6E52BC259DBB38893E96256D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:46.127{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D37D1E5001CB41DFBEAECC7C82D8E9,SHA256=6C272F7D0EE874BED29E02948676EF12CD3BA175C10535A517DC18E3F7BB0B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096477Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:46.169{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096476Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:47.748{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298BDFC3FF9DDAC8BCF16FD37A6B7DAA,SHA256=68D16AB95A1769F28B4BAC4FE64CDFBF6131C9C1240804F0D9B556873BCD1E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:47.143{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36255FFBA6C453A53A3A4C3DD1F3C493,SHA256=1573913023139DEB25BE617B72812D1438018191E3E0B1C11A8D9109FCB605D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096478Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:48.794{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1456BBDA01A35818FBF418FA7042E248,SHA256=1D3430F116A9687136394F58D1EB95DE0E1B4D664F0ABDCE3FB635484F9CD95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:46.735{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:48.158{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB19632FFE3952940A71322CE1D031C,SHA256=476B0CF25DCE574D695B5BA7E8BD9FF88A61871C5600DCC705F2E4A40FB391B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096479Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:49.826{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F26B58462A68CF6425623C14E2A088,SHA256=DC00ADFE04F6F5A46B968264EC1F814DE59BC8A79AA6B6BAC38A4FB1E7EB09EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13AD-614B-A602-00000000FC01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-13AD-614B-A602-00000000FC01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.455{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13AD-614B-A602-00000000FC01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.456{D0132419-13AD-614B-A602-00000000FC01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:49.174{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA21B8C668BC9B37BE741417728F4EA0,SHA256=25C79FA065A95BB1B4750CCBC111F02525D00C9A1CD9D9D606E2CCF200994FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096480Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:50.826{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F50B7D175A69659E5A2334BE8A76B77,SHA256=7E16FD7947FF1A5F77906F4B010A31C2B6DBF8401242C38B29BD853C316CFBEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13AE-614B-A802-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-13AE-614B-A802-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.986{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13AE-614B-A802-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.987{D0132419-13AE-614B-A802-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.503{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE347E337596D8D02C4ADFA0F4FC6E94,SHA256=265016E5F4B858578B5A0F34B53265C0BAFA597EFCF75161AFEFDF9D3CD555B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.503{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFD156C89231781199C8D92EE0E1179,SHA256=794B031612F679464E8C7BD942323202DAAC3072765B1EFC5CDE423649CE1BF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13AE-614B-A702-00000000FC01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04CD-614B-0500-00000000FC01}42492C:\Windows\system32\csrss.exe{D0132419-13AE-614B-A702-00000000FC01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.486{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13AE-614B-A702-00000000FC01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.487{D0132419-13AE-614B-A702-00000000FC01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.190{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AC38F0D818F5274794176FAA6B3AE2,SHA256=43EE5AB3ADC3CCA63F551633244DBE745CEAC82B492AA35181168322C8274DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096481Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:51.888{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB88D460016C7E2C0C40FC973053E7ED,SHA256=B9A9E218E05515BC684A562C0E77713261841E9CAC30439B63A9708095A64E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:51.986{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE347E337596D8D02C4ADFA0F4FC6E94,SHA256=265016E5F4B858578B5A0F34B53265C0BAFA597EFCF75161AFEFDF9D3CD555B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:51.190{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3542CC1A78973C71FC78672AFCA4690,SHA256=8E53D4664268CC6F5DFC4C5D19CEE405B307E5DA6BE29E6E9402F069AB86A4B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:51.158{D0132419-13AE-614B-A802-00000000FC01}45805852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000096482Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:52.888{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A57826D603047E775CBBC67D939725,SHA256=07013CAD0D3D804A4436905E17CF67A0896B9CC6D944AE321C490EEE5BD77A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.532{D0132419-04CD-614B-0B00-00000000FC01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53293-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000114568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:50.532{D0132419-04DD-614B-2500-00000000FC01}2784C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53293-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000114567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:52.205{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE65AA0586D22C4A64BD2DBBB0825872,SHA256=BC60123F4A17FEFCEA2F34926617DF7793A44287AF339C71B0E66B407D80B56C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096484Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:52.137{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096483Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:53.888{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECAB90E00DEEBBF4FD53A07B8B0770B,SHA256=042140C65C77377B3B2FD1C53B6F0F57CD355AFD8B98258E110B3EC5AD3B4597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.721{D0132419-13B1-614B-A902-00000000FC01}38285820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13B1-614B-A902-00000000FC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-13B1-614B-A902-00000000FC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.565{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13B1-614B-A902-00000000FC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.566{D0132419-13B1-614B-A902-00000000FC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:53.221{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE5270A4B3592C60214C692CE5F3D04,SHA256=F42A6D0684BFD634CF3B0E2659F748DCBA7BA15A6C6DA813400B412EBD909999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096485Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:54.888{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69718E5CBDD4A721B8893F7D6D788966,SHA256=2D7E8466A0A4B9E2399373C402D503EAB4EE3BEDC25938BDD7BAE6AF3A41555C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:52.720{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:54.580{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99BE8F418DB2B030F06EBE5AA854DD2F,SHA256=9E4D016400826825E92E65AAAFD62F1826DF4CAAE4B2ED69F58B5306600E4147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:54.236{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99ACF0C91CE89ABD5F913422F666DCA,SHA256=92E97E7A322B734F0EA3349A41369AE0B629BBB2DA425B687DDA85664577EC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096487Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:55.888{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93B64966D32B88E98C6D6670E2D8C8B,SHA256=5DE608ACEA8CC5A5B8CCCECBD7EEC2EE89E59CF706C1EE9E2D147FDDE40BF736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:55.252{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B364100ABC36E740896A00AE2FA50367,SHA256=B897F19E71F2EAA1B3D6418C22D1D18E770768C119E2E787536C3167B0C9FFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096486Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:55.357{601D2BAB-04EE-614B-1100-00000000FD01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=62771A159E334177C1956D4D013FD4F4,SHA256=D079FF319A07F6519FD1406D3B6C24164CDBE21C46BF18124EFA94B5C5BE44BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096498Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:56.904{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253D2012B5E5E0D2CF1D143B3E1EB1D6,SHA256=FB48AB4FD3D925BDB458F088FE7D64823827ED416588B2E12DE0CDF0726AD8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:56.283{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7765B08861A34735C78320E48C533C40,SHA256=C63BCE7EB687E27D04B9B4985818E2F668D142EAEA08D8632666EA2A355AAB21,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000096497Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000096496Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003a5096) 13241300x800000000000000096495Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0xc8ff44bd) 13241300x800000000000000096494Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa5-0x2ac3acbd) 13241300x800000000000000096493Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afad-0x8c8814bd) 13241300x800000000000000096492Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000096491Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003a5096) 13241300x800000000000000096490Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7af9c-0xc8ff44bd) 13241300x800000000000000096489Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7afa5-0x2ac3acbd) 13241300x800000000000000096488Microsoft-Windows-Sysmon/Operationalwin-host-301-SetValue2021-09-22 11:29:56.044{601D2BAB-04EE-614B-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7afad-0x8c8814bd) 23542300x800000000000000096499Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:57.919{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A703EC0B62B4A0C4AAB5A92772C666,SHA256=082C0C135C6ACD839DC0ADD7E5EFAAA288528EFEBD2CAEF0C245666AA4496365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:57.283{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC17B221CED981D204F9F40D81C5A23B,SHA256=FB2F056CB0282708C43F45F86BD5CE5EB762ED9B61E7F4C19025F61A4A244276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096500Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:58.919{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC3B719B6FFC86032809802AC8B06B8,SHA256=7653A46B9E3E179C8604FC6EEAAD1B7FB6FEA1E49D73B72462F601CBEB1CC4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:58.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ABBC1385AB644A5F8CC55D5345D8F7,SHA256=183ED74684E758A15039AB37F0214B9376BAB1C1B7E673811CD565FF1EDB0CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096501Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:59.935{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7F132C065A4EC8D94B7096C4AA9970,SHA256=FCDB987755EDD9F03E933DF3E535CDDBE912B5121FDEA3591BB0B23ADA832DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:59.330{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB12737968A9E131E6C1693055B721F,SHA256=61AD0A9E6BD455DC8BE927A83A29273F64EF38D20D3AE4DCD110C55E36E7C6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096502Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:00.944{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5902616D12914B480379C4C7FE4668EC,SHA256=B8CC1D0865F5AF8C467B03B6F9A529359B95EE72C16B459F998C2F88AF39F814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:00.330{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFD241258803A46F3F70E636312B985,SHA256=542AC50414CFB099E0652B256FCAE19516EF5FC3FBD2FD20CE1B32C00C6B7621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096504Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:01.975{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F2BBCE0192C0D7DE4E7DDA7CD07BF1,SHA256=46D39EF42A1262A44B9110FED526BA6801DFC97AB07AC4365BAB49B4C1B8CBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:01.393{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9D5B629C79B14CC2FF08A3AB1120B4,SHA256=CFEFCBC3D42198B3FFDEDD88489D7ABDB3128B3A0E651732D9D6DF85D2FEF54F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096503Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:29:58.137{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000114589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:29:58.594{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096505Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:02.975{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA99B45411D831E940AAF443F41E231,SHA256=C7FCFDCFB5006523324B7D190D67AE59ABAF3EE7493BA9E2FBDF6E282BF06F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:02.408{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB65206ADECE5477EA911AC1471214A,SHA256=FB215827A8B456EE77DD3B9DC099AF0BDF33E7092AB94CEAC1FE442BD852559E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096506Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:03.991{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E52B71E88EE815E24CA8A80D7471033,SHA256=7D83EFAE2C9A3FD03A91CD5188D5F3033694E4DA61D59D15B680F09D75633A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:03.486{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51266EE8287A65E216FE4C16E0691522,SHA256=6AE59A604A464BB2F0000ADAAC8917060B0C3C76E6E55E3A0947AF3113FE0139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:04.533{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A707D17D36FC6656C39CA7753D8EBF6,SHA256=8820CBC4E6F433ABEFE08757B6F5C73D6388BBED587C88B14F9CD5776973AB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:05.533{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA26E831E1A120C7197AF74562C10B70,SHA256=1FFB4A0003F98E7919DD216A5FA6F1CD851BCD1F16E1069F152D8EF5EE64B51D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096520Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13BD-614B-5002-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096519Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096518Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096517Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096516Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096515Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096514Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096513Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096512Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096511Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096510Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-13BD-614B-5002-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096509Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13BD-614B-5002-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096508Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.866{601D2BAB-13BD-614B-5002-00000000FD01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096507Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:05.006{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCFD0E238FD49B71E27DD2D4C1A3B1D,SHA256=382A467F20FED136CA8B35FAC91A507DA7F8AAA581EB708E6F4156358D8BF02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:03.704{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000114613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13BE-614B-AB02-00000000FC01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04CD-614B-0500-00000000FC01}424440C:\Windows\system32\csrss.exe{D0132419-13BE-614B-AB02-00000000FC01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.846{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13BE-614B-AB02-00000000FC01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.847{D0132419-13BE-614B-AB02-00000000FC01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.549{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3E883E6205E2FDBF93C971C8F657F7,SHA256=35E871CBE88F7555BA2D55843DC77882F155FAF7A0253A988147794CD106E273,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096522Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:04.147{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096521Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:06.006{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F127CD037F17219BC67F7B706E9AB4,SHA256=DF948D56B531C2EA47E23BEAEE8659B3688B0022845228DCC723CC6DC1721595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.439{D0132419-13BE-614B-AA02-00000000FC01}45045744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13BE-614B-AA02-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-13BE-614B-AA02-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.283{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13BE-614B-AA02-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:06.284{D0132419-13BE-614B-AA02-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.596{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA1C61A650692FE9025A80D6C7BE843,SHA256=7C4E63B1E9459FAFC0A7FB4D1D0264EAE36D6384AE64AC2FF911764BF23A3DDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096552Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.834{601D2BAB-13BF-614B-5202-00000000FD01}10882352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096551Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13BF-614B-5202-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096550Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096549Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096548Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096547Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096546Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096545Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096544Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096543Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096542Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096541Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-13BF-614B-5202-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096540Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.709{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13BF-614B-5202-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096539Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.710{601D2BAB-13BF-614B-5202-00000000FD01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096538Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE33FE3A29663FE4BDEA2C61E43A4111,SHA256=B9B3CBDEF634F2E86BC20DD66F9C79BEAA6F05757384373DEEE41D3AFF931884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096537Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5774E63E81BF64ACBC8C4B8BED1DBDF2,SHA256=411EADD0D4B2FC32D83826C7CB4C218A49F50757CEF365695BA6AC0583F68B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096536Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13BF-614B-5102-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096535Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096534Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096533Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096532Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096531Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096530Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096529Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096528Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096527Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096526Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-13BF-614B-5102-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096525Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.037{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13BF-614B-5102-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096524Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.038{601D2BAB-13BF-614B-5102-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096523Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:07.006{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C74B1E6EA5E0ACD01CC64011D62035,SHA256=8247434A08167B45DAB05A712F6BBA462F6BA9DC3F43D21F0679215B5F6CEF5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04DE-614B-3100-00000000FC01}23683044C:\Windows\system32\conhost.exe{D0132419-13BF-614B-AC02-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04CF-614B-0C00-00000000FC01}8485248C:\Windows\system32\svchost.exe{D0132419-04DD-614B-2300-00000000FC01}2768C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04CD-614B-0500-00000000FC01}424540C:\Windows\system32\csrss.exe{D0132419-13BF-614B-AC02-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000114618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.471{D0132419-04DD-614B-2800-00000000FC01}28323704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D0132419-13BF-614B-AC02-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000114617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.472{D0132419-13BF-614B-AC02-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D0132419-04CD-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000114616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71BEF1BB98413B788BC386A548735F6A,SHA256=6DD26852022354D48DCE3BD7F998E84EA310EF7CF79BC57BEDD4921CE9039BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.299{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6B8D2B08747E0F9321038708AFEED0,SHA256=E2A277256CF00F69AEDA8DB718765CE7EB3D3C86D69BD65D21CFCE1476DD84D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:07.002{D0132419-13BE-614B-AB02-00000000FC01}43124888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D0132419-04DD-614B-2800-00000000FC01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000114628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:08.815{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A020AF4ED911D5798A3D8758874220A8,SHA256=81869D617BC2B4458C3CED3D66B9949951B6D0682709ADEEC82FFEB13E966E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096554Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:08.834{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE33FE3A29663FE4BDEA2C61E43A4111,SHA256=B9B3CBDEF634F2E86BC20DD66F9C79BEAA6F05757384373DEEE41D3AFF931884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096553Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:08.444{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBC642AA0124DC104B10EA4195A6229,SHA256=06C8D73642BB4817DD03378283A0EA736BB55D43DA73C1BBB89270300FA39AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:08.549{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71BEF1BB98413B788BC386A548735F6A,SHA256=6DD26852022354D48DCE3BD7F998E84EA310EF7CF79BC57BEDD4921CE9039BCD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000114626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-09-22 11:30:08.502{D0132419-04D0-614B-1200-00000000FC01}628C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7afa5-0x32a7945a) 23542300x8000000000000000114629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:09.830{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2A801F27B0D138CCEBFC800D9BC572,SHA256=EA3C6B7836CEA66828608A7445A6C939A7B8249054D59E2B5BD2C57FC61A360F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096569Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.725{601D2BAB-13C1-614B-5302-00000000FD01}23922928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096568Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13C1-614B-5302-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096567Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096566Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096565Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096564Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096563Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096562Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096561Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096560Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096559Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096558Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04ED-614B-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{601D2BAB-13C1-614B-5302-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096557Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.584{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13C1-614B-5302-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096556Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.585{601D2BAB-13C1-614B-5302-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096555Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:09.490{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A85357848DC5537A01808330EFB3712,SHA256=21917F53EE3536E8BA3446EFF78CB98E20EDC2E9CE06579091F1D0ECE7D7C7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:10.846{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3C590209B335927539AE1E7ACFD37D,SHA256=DB2ACFD33470D6A85E3E017E8DC0706BE20A1738B2B84FB051DF4476E3800A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096599Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.944{601D2BAB-13C2-614B-5502-00000000FD01}33281352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096598Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13C2-614B-5502-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096597Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096596Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096595Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096594Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096593Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096592Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096591Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096590Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096589Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096588Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-13C2-614B-5502-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096587Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13C2-614B-5502-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096586Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.821{601D2BAB-13C2-614B-5502-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096585Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33B8640FF86DDC834F48E50FEF0B715,SHA256=A6371CBB5CBCB114AEFC122F6820C6BEA11EF6B16841154D675D8076989042E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096584Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.819{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14E1FA1D4E0A2537695F1747FA273CF,SHA256=413607F0993034105361EA90D6185ACFC9C73DCF96CAB08B49C9A4AFBC96F529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096583Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.381{601D2BAB-13C2-614B-5402-00000000FD01}34322884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096582Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13C2-614B-5402-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096581Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096580Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096579Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096578Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096577Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096576Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096575Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096574Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096573Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096572Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-13C2-614B-5402-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096571Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.256{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13C2-614B-5402-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096570Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.257{601D2BAB-13C2-614B-5402-00000000FD01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000114631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:09.688{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096601Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:11.865{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBFA2E09D6252F41725448BE3B02A6F,SHA256=ADF71AF57442358BD084E646C8B6B989863E7AE80CE4A8740B0C36B9D5FCD335,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096600Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:10.131{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:12.064{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83D4B90E29397432D3FF8BA11063C3F,SHA256=08F0C296564F33DA121598585C49A5D4127BB51C69DF9215E6E047A8057BC923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096615Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04F0-614B-2B00-00000000FD01}28122832C:\Windows\system32\conhost.exe{601D2BAB-13C4-614B-5602-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096614Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096613Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096612Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096611Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096610Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096609Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096608Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096607Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096606Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EE-614B-0C00-00000000FD01}724772C:\Windows\system32\svchost.exe{601D2BAB-04EF-614B-2100-00000000FD01}2028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096605Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04ED-614B-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{601D2BAB-13C4-614B-5602-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000096604Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.959{601D2BAB-04EF-614B-2300-00000000FD01}15603852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{601D2BAB-13C4-614B-5602-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000096603Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.960{601D2BAB-13C4-614B-5602-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{601D2BAB-04EE-614B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{601D2BAB-04EF-614B-2300-00000000FD01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000096602Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:12.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9870B2CC1611F9636732EC782D3EBE,SHA256=EE49FFB4FD2BC58739DF7B128AA0073297132693F169DD921D9792C68D1DC28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:13.289{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\respondent-20210922102639-061MD5=345F625AB226979275E8E5CD8333D545,SHA256=49B2C959B2C09B2DF7CFAED4905912E8B63F426A3734D76F2BAAFA07100D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:13.067{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D81F91C0F5FD25B73792FFEC9B34ECB,SHA256=F86404411493336DDD526E6522D3BFB805446C86A459DA0E804016A83F0D03F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096616Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:13.053{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BE028674D8A70C106582B8213555C0,SHA256=943D4CAC162D61D91018B804B246A99C09723E8A528FB3D56B82E1329DBA6F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096618Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:14.178{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C01D50CE3579C16AB2AB8C26D3B6CD,SHA256=C4AB7A9D7B5BA2B074AE29E3643E4AA9E00671E21AD5BD90667F67AB4430A617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096617Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:14.068{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40783C9CD4916F4115DAC4F53C7EB2CD,SHA256=75DCCD1A7346EAD22739CDB5B4F43297B8A29945DFF2D2B888466BE6534BAC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:14.292{D0132419-04DD-614B-2900-00000000FC01}2876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00d0db05f68d8430c\channels\health\surveyor-20210922102637-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:14.072{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E532B122338E4B0FC02C576296EAAF13,SHA256=FC9F4FE8EC1EA717090DAC5DC0CB740F1B6ACEE3937DEAFBC55EAC80E586B838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:15.089{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488910DFC517BD722E2DC4F03A9FA77F,SHA256=58E8276870209CEBF5A010B0A653478F3519418F76A0744D535A92C7359F0141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096619Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:15.069{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FF54FD6387DF1B0222BCDE117277DF,SHA256=2A46FDE68F3C42ED24CD340F56F8E46F71C386CDEBC3652A98A4F41287C11448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:16.121{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F9EDB7D17048B5A3560A78D260C244,SHA256=A425D6E923441DA0F7486C076E37BCC9BFCAB7A52E57D9E29743700149AD4052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096621Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:15.178{601D2BAB-04F9-614B-6600-00000000FD01}2700C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-301.eu-central-1.compute.internal50469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000096620Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:16.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6B436EB14EC274166EB84E7EA4A8E4,SHA256=26BE6F26E9AEF517C46EA2FC73FC183911F36AA1A7F41B7811A4CF4A5E7F1CD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:15.634{D0132419-04E8-614B-6A00-00000000FC01}3852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local53298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000114639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:17.136{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A1B9873732A02483B53ABEE2474CFB,SHA256=F7682ABD955C6F8F34D84B86BCFEA14CA1F7CDC1BCA26C0A7442C433C6891CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096622Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:17.084{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660D5D1F1DC2DB13A75D86C41BE4342,SHA256=B9625A3913AD9E62E4F8F781B8767EF2F07E5111E571DCC80E1C5CFCA19861E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:18.167{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0360DB6AB83F489AAABB11A81BC025EF,SHA256=C23A17F6FC8562904D942E0D0F1361ACF6BD5C01BFA77AFE84AFC5E80095D8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000096623Microsoft-Windows-Sysmon/Operationalwin-host-301-2021-09-22 11:30:18.100{601D2BAB-0500-614B-7000-00000000FD01}3500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1083978E7181496D39964E27740A58CB,SHA256=E5F5D7D57A82D460B9F1281B4D1CB0E02A657284E2E7B84574E932F750C07C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-09-22 11:30:19.183{D0132419-04EF-614B-7300-00000000FC01}4044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B786EEB697378DD02B26CE59E191E32,SHA256=AD10A979A635E25C54CA1F0AC05AEB85E287C66694A8BB27EAD1B1989CCA0C83,IMPHASH=00000000000000000000000000000000falsetrue